Preemptive Protection against Novell GroupWise Agents HTTP Request Remote Code Execution

Vulnerability
Protection

Check Point Reference:	CPAI-2010-158
Date Published:
Preemptive Since:
Severity:
Source:	Secunia Advisory SA40820
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Novell GroupWise 8 prior to 8.02HP
Vulnerability Description A code execution vulnerability exists in the GroupWise agents HTTP interfaces. The vulnerability is due to insufficient bounds checking while parsing the Host header from an HTTP GET request. A remote attacker could exploit this vulnerability by sending a crafted HTTP request to the server. Successful exploitation could result in remote code execution.

Update/Patch Available Novell has released an advsiory to address this vulnerability.
Vulnerability Details The vulnerability is due to insufficient bounds checking while parsing the Host header from an HTTP GET request. A remote attacker can exploit this vulnerability to execute arbitrary code on the affected system.

Protection Overview
No update is required to address this vulnerability. The protection will detect and block HTTP requests with HOST parameters which exceed a configurable parameter (255 characters by default).

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the Strict Compliance protection group.
3. Click Host: HTTP request line too long (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.

5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: HTTP Compliance
Description: Host: HTTP request line too long

Legal Notice for Threat Center Advisories