Update Protection against SAP GUI SAPBExCommonResources ActiveX Command Execution

Vulnerability
Protection

Check Point Reference:	CPAI-2010-123
Date Published:
Severity:
Source:	Discoverer advisory
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? SAP GUI 7.10 and BI 7.0
Vulnerability Description A buffer overflow vulnerability has been reported in SAP GUI, the GUI client in SAP's 3-tier architecture of database, application server and client. The vulnerability exists in the SAP GUI SAPBExCommonResources ActiveX control. The vulnerability may allow remote attackers to execute arbitrary command by convincing a target user to open a maliciously crafted HTML document.

Update/Patch Available Vendor's advisory
Vulnerability Details The vulnerability is due to exposing the Execute method in the APBExCommonResources control. The method can be leveraged by attackers to execute arbitrary programs on the vulnerable host.

Protection Overview
The protection will detect and block attempts to use the SAP GUI SAPBExCommonResources ActiveX control in HTML documents.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the ActiveX Parser protection group.
3. Click User defined bad ActiveX Class ID (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Badfiles ActiveX class in HTML file Alert/Filter
Description: User defined bad ActiveX Class ID

Legal Notice for Threat Center Advisories