Update Protection against openwsman HTTP Basic Authentication Buffer Overflow

Vulnerability
Protection

Check Point Reference:	CPAI-2008-235
Date Published:
Severity:
Source:	Secunia Advisory: SA31410
Industry Reference(s):	CVE-2008-2234
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? openwsman 1.x openwsman 2.x
Vulnerability Description A buffer overflow vulnerability was reported in Openwsman. Openwsman is an implementation of Web Services Management (WS-Management) specification. It is used in the VMware Management ServiceConsole. The vulnerability is due to improper bounds checking of HTTP authorization headers. Remote unauthenticated attackers could exploit this vulnerability by sending HTTP requests with overly long header values. Successful exploitation would result in execution of arbitrary code or a denial of service condition.

Vulnerability Status The vulnerability has been publicly disclosed.
Vulnerability Details In order for a remote attack to be successful, the attacker needs to have access to the service console network.

Protection Overview
By enabling this protection, IPS-1 will detect and block CGI requests with invalid HTTP Authentication header lengths.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the CGI Attacks protection group
3. Click Openwsman Basic Authentication Buffer Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: WWW/CGI Attacks Protection Group
Description: Openwsman Basic Authentication Buffer Overflow

Legal Notice for Threat Center Advisories