Update Protection against Trend Micro OfficeScan Server cgiRecvFile Buffer Overflow

Overview
Details
Protection

Check Point Reference:	CPAI-2008-221
Date Published:
Severity:
Source:	Secunia: SA31342
Industry Reference(s):	CVE-2008-2437
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Trend Micro Client Server Messaging Security for SMB 2.0 Trend Micro Client Server Messaging Security for SMB 3.0 Trend Micro Client Server Messaging Security for SMB 3.5 Trend Micro Client Server Messaging Security for SMB 3.6 Trend Micro OfficeScan Corporate Edition 7.3 Trend Micro OfficeScan Corporate Edition 8.x
Vulnerability Description A buffer overflow vulnerability exists in Trend Micro OfficeScan, which if successfully exploited, allows execution of arbitrary code. Trend Micro OfficeScan is a centralized virus and security scan management system. The application fails to properly handle specially crafted ,user-supplied parameters, allowing an attacker to compromise a vulnerable computer.

Vulnerability Status Currently, there are no known expolits.
Update/Patch Available Trend Micro has released fixes to address the issue: Trend Micro OfficeScan 7.3: http://www.trendmicro.com/ftp/product...CE_7.3_Win_EN_CriticalPatch_B1367.exe Trend Micro OfficeScan 7.0: http://www.trendmicro.com/ftp/product...CE_7.0_Win_EN_CriticalPatch_B1400.exe Trend Micro OfficeScan 8.0: http://www.trendmicro.com/ftp/product...CE_8.0_Win_EN_CriticalPatch_B1361.exe Trend Micro OfficeScan 8.0 Service Pack 1: http://www.trendmicro.com/ftp/product....0_SP1_Win_EN_CriticalPatch_B2424.exe Trend Micro OfficeScan 8.0 Service Pack 1 Patch 1: http://www.trendmicro.com/ftp/product...Patch1_Win_EN_CriticalPatch_B3060.exe Trend Micro Client Server Messaging Security 3.6: http://www.trendmicro.com/ftp/product...CE_7.6_Win_EN_CriticalPatch_B1195.exe
Vulnerability Details The vulnerability is due to a boundary error in cgiRecvFile.exe. This can be exploited to cause a stack-based buffer overflow via an HTTP request with a specially crafted, overly long "ComputerName" parameter.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click WEB Intelligence > WWW2, and select the CGI protection group.
3. Click Trend Micro OfficeScan Server cgiRecvFile Buffer Overflow (IPS-1 NGX R65).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: www2_cgi

Description: www_cgi_cve_2008_2437_alert

Legal Notice for SmartDefense Advisories