Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Mercury Mail Transport System SMTP AUTH CRAM-MD5 Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2007-103
Date Published:
Severity:
Last Updated:
Source: FrSIRT/ADV-2007-2918
Industry Reference(s): CVE-2007-4440
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
InterSpect
  • NGX
  • 2.0 and 1.x
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Mercury Mail Transport System version 4.51 and prior
Vulnerability Description
A buffer overflow vulnerability has been reported in Mercury Mail Transport System. Mercury Mail Transport System is a free mail server program that supports various email access and exchange protocols, including the Simple Mail Transfer Protocol (SMTP). A remote attacker can exploit this issue to create a denial of service condition or to execute arbitrary code on a vulnerable system.
Update/Patch Available
Apply patches:
http://www.pmail.com/patches.htm
Vulnerability Details
The vulnerability is due to a boundary error in the Mercury Mail Transport System that fails to properly handle CRAM-MD5 strings following the SMTP AUTH command.  An attacker can exploit this flaw via a long AUTH CRAM-MD5 string. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on an affected server.

Protection Overview
By enabling this protection, SmartDefense will detect and block all authentication commands (AUTH) over SMTP connections. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65, R62, R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > Mail Security Server.

2. In the configuration pane, if you choose Configurations apply to all conections:
I. In the Security tab, add a new rule.
II. Under Service field, right click the value field > Add, and choose the TCP service smtp.
III. Under Action field, right click the value field > Accept.
IV. Configure the rest of the rule fields in accordance to your network policy.

3. In the configuration pane, if you choose Configurations apply only to conections related to resources used in the Rule Base:
I. In the Security tab, add a new rule.
II. Under Service field, right click the value field > Add, and choose the SMTP service smtp_resource.
III. Under Action field, right click the value field > Accept.
IV. Configure the rest of the rule fields in accordance to your network policy.

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Received an unknown command (AUTH)
Attack Information: mail server

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail.

2. In the configuration pane, if you choose Configurations apply to all conections:
I. In the Security tab, add a new rule.
II. Under Service field, right click the value field > Add, and choose the TCP service smtp.
III. Under Action field, right click the value field > Accept.
IV. Configure the rest of the rule fields in accordance to your network policy.

3. In the configuration pane, if you choose Configurations apply only to conections related to resources used in the Rule Base:
I. In the Security tab, add a new rule.
II. Under Service field, right click the value field > Add, and choose the SMTP service smtp_resource.
III. Under Action field, right click the value field > Accept.
IV. Configure the rest of the rule fields in accordance to your network policy.

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will not produce any logs.

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Mail > SMTP.
3. Select the following protection:

SMTP Format Restrictions

4. In the configuration pane, under Block Commands, select: AUTH.
5. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Secuirty Violation
Attack Information: Commad was blocked by Security Policy

InterSpect 2.0

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Mail.
2. Select the following protection:

External Mail Protection

3. In the configuration pane select: Block SMTP traffic to external Mail Server
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Mail
Attack Information: A connection attempt to an external mail server

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > SMTP2, and select the Compliance protection group.
3. Click smtp2_compliance:cve_2007_4440_alert (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:

Alert Name: smtp2_compliance
Description: cve_2007_4440_alert