Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Novell GroupWise Internet Agent Email Address Processing Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2009-097
Date Published:
Preemptive Since:
Severity:
Last Updated:
Source: Secunia Advisory: SA35177
Industry Reference(s): CVE-2009-1636
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Novell Groupwise 7.x
Novell Groupwise 8.0
Vulnerability Description
A buffer overflow vulnerability has been reported in Novell GroupWise, a client-server collaborative software and email system provided by Novell. The vulnerability is due to an error while processing specially crafted SMTP requests. Remote attackers can exploit this vulnerability to execute arbitrary code on the target server.
Update/Patch Available
The vendor, Novell, has released an advisory addressing this vulnerability:
Novell
Vulnerability Details
The vulnerability exists in Novell Groupwise Internet Agent (GWIA) software. Specifically, the vulnerability is due to a boundary error while parsing the MAIL FROM command. Remote unauthenticated attackers could exploit this vulnerability by sending a crafted MAIL FROM command to the target server. Successful exploitation could allow for remote code execution.

Protection Overview
This protection will detect and block malformed E-mail addresses.
No update is required to address this vulnerability for users of IPS-1. IPS-1 will detect and block excessively long SMTP commands that exceed the maximum  threshold.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > SMTP.
2. In the right pane, double-click the Novell GroupWise Email Address Processing Buffer Overflow protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: Novell GroupWise email address processing buffer overflow

VPN-1 NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > SMTP > Novell GroupWise Email Address Processing Buffer Overflow.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: Novell GroupWise email address processing buffer overflow

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > SMTP > Novell GroupWise Email Address Processing Buffer Overflow.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: Novell GroupWise email address processing buffer overflow

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > SMTP2, and select the Long Lines protection group.
3. Click longcommand_alert (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

The threshold is configurable via Application Intelligence > SMTP2 > Long Lines General Settings > 'SMTP Command length checks'. The default is 128.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: SMTP Long Lines
Description: longcommand_alert