Protect Yourself against Malformed IMAP Commands Vulnerabilities
| Check Point Reference: | SBP-2007-01 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SmartDefense Research Center | |
| Industry Reference(s): | CVE-2006-2502 CVE-2006-1255 CVE-2006-0853 CVE-2005-4402 CVE-2005-4267 CVE-2005-3526 CVE-2005-0707 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? IMAP Servers | ||
| Vulnerability Description Internet Message Access Protocol (IMAP) is a standard protocol for accessing e-mail from a local server that provides management of received messages on a remote server. Several IMAP servers contain buffer overflow errors in the way they handle IMAP commands. By specially crafting an overly long IMAP command, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. |
||
|
Vulnerability Details These vulnerabilities are due to a buffer overflow error when processing overly long IMAP commands. A remote attacker can exploit this flaw via an overly long argument. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on a affected system. |
Protection Overview
Overly long IMAP commands may cause a buffer overflow on an affected IMAP server. The protection addresses this issue by validating the length of the malformed IMAP commands and blocking them if they exceed a certain length. This protection blocks all long IMAP commands on port 143 (IMAP standard port).
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > Malformed IMAP Commands > Block Long IMAP Commands.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
APPEND command buffer overflow
AUTHENTICATE command buffer overflow
CAPABILITY command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
COPY command buffer overflow
CREATE command buffer overflow
DELETE command buffer overflow
DELETEACL command buffer overflow
EXAMINE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
GETACL command buffer overflow
GETQUOTA command buffer overflow
GETQUOTAROOT command buffer overflow
LIST command buffer overflow
LISTRIGHTS command buffer overflow
LOGIN command buffer overflow
LOGOUT command buffer overflow
LSUB command buffer overflow
MYRIGHTS command buffer overflow
NOOP command buffer overflow
RENAME command buffer overflow
SEARCH command buffer overflow
SELECT command buffer overflow
SETACL command buffer overflow
SETQUOTA command buffer overflow
STARTTLS command buffer overflow
STATUS command buffer overflow
STORE command buffer overflow
SUBSCRIBE command buffer overflow
UID command buffer overflow
UNSELECT command buffer overflow
UNSUBSCRIBE command buffer overflow
X_ATOM command buffer overflow
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following protection:
Block Long IMAP Commands
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
APPEND command buffer overflow
AUTHENTICATE command buffer overflow
CAPABILITY command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
COPY command buffer overflow
CREATE command buffer overflow
DELETE command buffer overflow
DELETEACL command buffer overflow
EXAMINE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
GETACL command buffer overflow
GETQUOTA command buffer overflow
GETQUOTAROOT command buffer overflow
LIST command buffer overflow
LISTRIGHTS command buffer overflow
LOGIN command buffer overflow
LOGOUT command buffer overflow
LSUB command buffer overflow
MYRIGHTS command buffer overflow
NOOP command buffer overflow
RENAME command buffer overflow
SEARCH command buffer overflow
SELECT command buffer overflow
SETACL command buffer overflow
SETQUOTA command buffer overflow
STARTTLS command buffer overflow
STATUS command buffer overflow
STORE command buffer overflow
SUBSCRIBE command buffer overflow
UID command buffer overflow
UNSELECT command buffer overflow
UNSUBSCRIBE command buffer overflow
X_ATOM command buffer overflow
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands
2. Select the following protection:
Block Long IMAP Commands
3. Install security policy.
How Do I Know if My Network is Under Attack?
Rule #99150 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following protection:
Block Long IMAP Commands
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99150 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
3. Select the following protection:
Block Long IMAP Commands
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
APPEND command buffer overflow
AUTHENTICATE command buffer overflow
CAPABILITY command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
COPY command buffer overflow
CREATE command buffer overflow
DELETE command buffer overflow
DELETEACL command buffer overflow
EXAMINE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
GETACL command buffer overflow
GETQUOTA command buffer overflow
GETQUOTAROOT command buffer overflow
LIST command buffer overflow
LISTRIGHTS command buffer overflow
LOGIN command buffer overflow
LOGOUT command buffer overflow
LSUB command buffer overflow
MYRIGHTS command buffer overflow
NOOP command buffer overflow
RENAME command buffer overflow
SEARCH command buffer overflow
SELECT command buffer overflow
SETACL command buffer overflow
SETQUOTA command buffer overflow
STARTTLS command buffer overflow
STATUS command buffer overflow
STORE command buffer overflow
SUBSCRIBE command buffer overflow
UID command buffer overflow
UNSELECT command buffer overflow
UNSUBSCRIBE command buffer overflow
X_ATOM command buffer overflow
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following protection:
Block Long IMAP Commands
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
APPEND command buffer overflow
AUTHENTICATE command buffer overflow
CAPABILITY command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
COPY command buffer overflow
CREATE command buffer overflow
DELETE command buffer overflow
DELETEACL command buffer overflow
EXAMINE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
GETACL command buffer overflow
GETQUOTA command buffer overflow
GETQUOTAROOT command buffer overflow
LIST command buffer overflow
LISTRIGHTS command buffer overflow
LOGIN command buffer overflow
LOGOUT command buffer overflow
LSUB command buffer overflow
MYRIGHTS command buffer overflow
NOOP command buffer overflow
RENAME command buffer overflow
SEARCH command buffer overflow
SELECT command buffer overflow
SETACL command buffer overflow
SETQUOTA command buffer overflow
STARTTLS command buffer overflow
STATUS command buffer overflow
STORE command buffer overflow
SUBSCRIBE command buffer overflow
UID command buffer overflow
UNSELECT command buffer overflow
UNSUBSCRIBE command buffer overflow
X_ATOM command buffer overflow
Connectra NGX R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block Long IMAP Commands
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:
Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
APPEND command buffer overflow
AUTHENTICATE command buffer overflow
CAPABILITY command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
COPY command buffer overflow
CREATE command buffer overflow
DELETE command buffer overflow
DELETEACL command buffer overflow
EXAMINE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
GETACL command buffer overflow
GETQUOTA command buffer overflow
GETQUOTAROOT command buffer overflow
LIST command buffer overflow
LISTRIGHTS command buffer overflow
LOGIN command buffer overflow
LOGOUT command buffer overflow
LSUB command buffer overflow
MYRIGHTS command buffer overflow
NOOP command buffer overflow
RENAME command buffer overflow
SEARCH command buffer overflow
SELECT command buffer overflow
SETACL command buffer overflow
SETQUOTA command buffer overflow
STARTTLS command buffer overflow
STATUS command buffer overflow
STORE command buffer overflow
SUBSCRIBE command buffer overflow
UID command buffer overflow
UNSELECT command buffer overflow
UNSUBSCRIBE command buffer overflow
X_ATOM command buffer overflow