Update Protection against Microsoft LDAP Active Directory Remote Code Execution Vulnerability (MS08-060)

Vulnerability
Protection

Check Point Reference:	CPAI-2008-156
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS08-060
Industry Reference(s):	CVE-2008-4023
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 VSX NGX R65 InterSpect NGX IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Microsoft Windows 2000 Server SP4
Vulnerability Description A remote code execution has been reported in Microsoft Windows Active Directory. Active Directory automates network management of user data, security, and distributed resources among Windows-based computers and is broadly deployed in enterprise environments. Lightweight Directory Access Protocol (LDAP) is employed to access data in the Active Directory. Active Directory fails to properly handle crafted LDAP packets. The vulnerability could be exploited by remote attackers to take complete control of an affected system via a specially crafted LDAP request sent to an affected Active Directory server.

Update/Patch Available
Apply patces:
Microsoft Security Bulletin MS08-060

Vulnerability Details
The flaw is due to insufficient validation of LDAP requests by the LDAP service. A Remote attacker can exploit this issue via a specially crafted LDAP request sent to a vulnerable Active Directory server. Successful exploitation may allow an attacker to execute remote code or create a denial of service condition on the affected server.

This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller it will not be exposed to this vulnerability.

Protection Overview
By enabling this protection, SmartDefense will detect and block malformed LDAP requests sent to the Active Directory server.

In order for the protection to be activated, update your VPN-1 product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > LDAP > Block Active Directory Search Request Overflow (MS08-060).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: LDAP Protections
Attack Information: Active Directory search request overflow (MS08-060)

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > LDAP.
2. Select the following protections:

Block Active Directory Search Request Overflow (MS08-060)

3. Install policy on all modules.

VPN-1 VSX NGX R65

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > LDAP.
3. Select the following protection:

Block Active Directory Search Request Overflow (MS08-060)

4. Install policy on all modules.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Intelligence > LDAP, and select the Compliance protection group
3. Click Active Directory search request vulnerability (MS08-060) - (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: ldap_compliance
Description: long_baseobj_alert

Legal Notice for Threat Center Advisories