Update Protection against IBM Lotus Domino Buffer Overflow Vulnerability
| Check Point Reference: | CPAI-2007-065 | |
| Date Published: | ||
| Severity: | ||
| Source: | Secunia Advisory: SA24633 | |
| Industry Reference(s): | CVE-2007-1675 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? IBM Lotus Domino 6.x prior to 6.5.6 IBM Lotus Domino 7.x prior to 7.0.2 FP1 | ||
| Vulnerability Description A buffer overflow vulnerability has been reported in IBM Lotus Domino Server. IBM Lotus Domino Server is a software that provides mail, messaging, calendaring for multiple platforms. The flaw is within the IBM Lotus Domino IMAP service. Internet Message Access Protocol (IMAP) is a standard protocol for accessing e-mail from a local server that provides management of received messages on a remote server. A remote attacker can exploit this issue to trigger a buffer overflow which may lead to an application crash and to arbitrary code execution. |
||
|
Update/Patch Available Upgrade your product to version 6.5.6 or 7.0.2 (Fix Pack 1): http://www14.software.ibm.com/webapp/download/support.jsp |
|
|
Vulnerability Details The flaw in the IMAP service of IBM Lotus Domino is due to a boundary error when the server is processing CRAM-MD5 authentication. CRAM-MD5 is a challenge-response authentication mechanism. A remote attacker can exploit this flaw via an overly long username. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on an affected server. |
Protection Overview
By enabling this protection, SmartDefense will detect and block attempts to exploit IBM Lotus Domino IMAP server via CRAM-MD5 authentication mechanism.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on May 30, 2007 includes the following protections:
Microsoft CAPICOM Vulnerability (MS07-028) - CPAI-2007-064
IBM Lotus Domino Vulnerability (CPAI-2007-065)
Multiple Microsoft Internet Explorer Vulnerabilities (MS07-027) - CPAI-2007-066
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > Malformed IMAP Commands > Block IBM IMAP Malformed CRAM-MD5 Authentication.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: Malformed IBM IMAP cram-md5 authentication detected
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following protection:
Block IBM IMAP Malformed CRAM-MD5 Authentication
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: Malformed IBM IMAP cram-md5 authentication detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following protection:
Block IBM IMAP Malformed CRAM-MD5 Authentication
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99882 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following protection:
Block IBM IMAP Malformed CRAM-MD5 Authentication
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99882 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
3. Select the following protection:
Block IBM IMAP Malformed CRAM-MD5 Authentication
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: Malformed IBM IMAP cram-md5 authentication detected
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following protection:
Block IBM IMAP Malformed CRAM-MD5 Authentication
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: Malformed IBM IMAP cram-md5 authentication detected
Connectra NGX R62 & R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block IBM IMAP Malformed CRAM-MD5 Authentication
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:
Attack Name: IMAP Protocol Violation
Attack Information: Malformed IBM IMAP cram-md5 authentication detected