Preemptive Protection against IBM Lotus Domino IMAP Server Buffer Overflow Vulnerability

Vulnerability
Protection

Check Point Reference:	CPAI-2007-125
Date Published:
Severity:
Last Updated:
Source:	Secunia Advisory: SA27321
Industry Reference(s):	CVE-2007-3510
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55 VSX NGX InterSpect NGX Connectra NGX R62 NGX R61
Who is Vulnerable? IBM Lotus Domino 6.x prior to 6.5.6 Fix Pack 2 IBM Lotus Domino 7.x prior to 7.0.3
Vulnerability Description A buffer overflow vulnerability has been reported in IBM Lotus Domino Server. IBM Lotus Domino Server is a software that provides mail, messaging, calendaring for multiple platforms. The flaw is within the IBM Lotus Domino IMAP service. Internet Message Access Protocol (IMAP) is a standard protocol for accessing e-mail from a local server that provides management of received messages on a remote server. A remote attacker can exploit this issue to trigger a buffer overflow which may lead to an application crash and to arbitrary code execution.

Update/Patch Available Upgrade to IBM Lotus Domino version 7.0.3 or 8.0: IBM
Vulnerability Details The flaw in the IMAP service of IBM Lotus Domino is due to a boundary error when the server is processing LSUB requests. A remote attacker can exploit this flaw via an overly long LSUB request. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on an affected server.

Protection Overview
By enabling these protections, SmartDefense will detect and block long IMAP commands that exceed a certain length and malformed or long IMAP literals that exceed a certain length, except for the following IMAP commands: FETCH, UID and APPEND. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > Malformed IMAP Commands > Block Long IMAP Commands and Block Long IMAP Literals.
2. In the configuration pane of both protections, under Settings > Mode, check Active.
3. In the Block Long IMAP Commands configuration pane, limit the command length to 260 bytes.
4. In the Block Long IMAP Literals configuration pane, limit the max value of the literals to 260.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: IMAP Protocol Violation
Attack Information:
SUBSCRIBE command buffer overflow
LSUB command buffer overflow
Overly long IMAP literal detected

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Enable the following protections:

Block Long IMAP Commands
Block Long IMAP Literals

3. In the Block Long IMAP Commands configuration pane, limit the command length to 260 bytes.
4. In the Block Long IMAP Literals configuration pane, limit the max value of the literals to 260.
5. Install security policy on all modules.

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Enable the following protections:

How Do I Know if My Network is Under Attack?
Rules #99152 and #99150 will appear on the SmartView Tracker for SUBSCRIBE/LSUB command buffer overflow and for Overly long IMAP literal accordingly.

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Enable the following protections:

Block Long IMAP Commands
Block Long IMAP Literals

3. In the Block Long IMAP Commands configuration pane, limit the command length to 260 bytes.
4. In the Block Long IMAP Literals configuration pane, limit the max value of the literals to 260.
5. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Rules #99152 and #99150 will appear on the SmartView Tracker for SUBSCRIBE/LSUB command buffer overflow and for Overly long IMAP literal accordingly.

InterSpect NGX

How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
3. Enable the following protections:

Block Long IMAP Commands
Block Long IMAP Literals

4. In the Block Long IMAP Commands configuration pane, limit the command length to 260 bytes.
5. In the Block Long IMAP Literals configuration pane, limit the max value of the literals to 260.
6. Install security policy on all modules.

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following protections:

Block Long IMAP Commands
Block Long IMAP Literals

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:

Attack Name: IMAP Protocol Violation
Attack Information:
SUBSCRIBE command buffer overflow
LSUB command buffer overflow
Overly long IMAP literal detected

Legal Notice for Threat Center Advisories