Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Protect Yourself from Multiple POP3 Vulnerabilities

Subscribe

Check Point Reference: SBP-2010-05
Date Published:
Severity:
Source: IPS Research Center
Protection Provided by: Security Gateway
  • R70
Who is Vulnerable?
POP3 Mail Servers
Vulnerability Description
Post Office Protocol version 3 (POP3) is an electronic mail protocol used to retrieve messages stored in e-mail servers. POP3 is a 'pull' protocol. To check for messages, a client connects to its mail server and using the POP3 protocol, logins to its mailbox and 'pulls' out its messages. POP3 allows the remote client to view, download, list and delete messages.

There are several serious security limitations with the POP3 protocol that allow malicious attackers to compromise a remote server, gain full access rights or launch denial of service (DoS) attacks.
Vulnerability Details
IPS offers several preemptive protections against POP3 related vulnerabilities:

Empty POP3 Username - According to RFC 1939, a username must be provided before downloading emails from the POP3 server. Not providing a username might indicate an attempt to attack the server. By activating this protection, IPS can detect or prevent POP3 connections with login attempts which do not contain a user.

Empty POP3 Password - According to RFC 1939, a password must be provided before downloading emails from the POP3 server. Not providing a password might indicate an attempt to attack the server or enter the POP3 account without permission. In addition, enforcing a non-empty POP3 password policy increases security. By activating this protection, IPS can detect or prevent POP3 connections with login attempts which do not contain a password.

Non Compliant POP3 - Unexpected characters used in POP3 connections might indicate an attempt to attack the mail server. By activating this protection, IPS can detect or prevent POP3 connections which cannot be inspected because they violate the fundamentals of the POP3 protocol.

POP3 STARTTLS Command - Block attempts to use encrypted TLS sessions for POP3, as defined in RFC 2595. By activating this protection, IPS can detect or prevent POP3 connections which are encrypted. Note: if this protection is not enabled and the POP3 session is encrypted, it may not be possible to enforce other POP3 protections for this connection.

Use Malicious Code Protector for POP3 - By manipulating the POP3 command arguments so that they contain assembler code, an attacker can create a memory corruption that can cause a server to crash or even run arbitrary code. An attack exploiting such vulnerability does not require user interaction. This allows the attack to spread easily via reusable exploit scripts or worms. By enabling this protection, IPS will analyze POP3 commands (other than mail data). It assesses the danger, and allows or rejects connections accordingly. Because it analyzes command arguments dynamically, it is able to protect against most future vulnerabilities without the need for patterns or updates. 
 
Maximum Bad POP3 Commands Enforcement - A POP3 connection in which there is large number of commands to which the POP3 server returns an error might indicate an attempt to attack the POP3 server. By enabling this protection, IPS will limit the number of bad commands allowed per POP3 connection.

Maximum POP3 Command Line Length Enforcement - An attacker might attempt to exploit a buffer overflow vulnerability which may exist in the POP3 server, by sending a long POP3 command. By activating this protection, IPS can detect or prevent POP3 commands which are longer than configured.

Maximum POP3 Commands Per Connection Enforcement - An attacker might attempt to use the resources of a POP3 server by sending a large number of POP3 commands per connection. This may result in denial of service to legitimate users. By enabling this protection, IPS will limit the number of POP3 commands allowed per connection.

Protection Overview
IPS offers several preemptive protections against POP3 related vulnerabilities.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Mail > POP3.
2. In the right pane, double-click the following protections:

Empty POP3 Username
Empty POP3 Password
Non Compliant POP3
POP3 STARTTLS Command
Use Malicious Code Protector for POP3
Maximum Bad POP3 Commands Enforcement
Maximum POP3 Command Line Length Enforcement
Maximum POP3 Commands Per Connection Enforcement

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Empty POP3 Username
Attack Name: POP3 Policy Violation
Attack Information: No username supplied in USER command

Empty POP3 Password

Attack Name: POP3 Policy Violation
Attack Information: No password supplied in PASS command

Non Compliant POP3
Attack Name: POP3 Policy Violation
Attack Information: Non protocol-compliant connection

POP3 STARTTLS Command
Attack Name: POP3 Policy Violation
Attack Information: Illegal POP3 TLS session

Use Malicious Code Protector for POP3
Attack Name: POP3 Security Violation
Attack Information: Malicious Code Protector

Maximum Bad POP3 Commands Enforcement
Attack Name: POP3 Policy Violation
Attack Information: Too many bad commands

Maximum POP3 Command Line Length Enforcement
Attack Name: POP3 Format Violation
Attack Information: Command line is too long

Maximum POP3 Commands Per Connection Enforcement
Attack Name: POP3 Policy Violation
Attack Information: Too many commands