Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against CA eTrust Secure Content Manager Gateway FTP PASV Stack Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2008-090
Date Published:
Severity:
Last Updated:
Source: Secunia Advisory: SA30518
Industry Reference(s): CVE-2008-2541
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
VSX
  • NGX
  • NGX R65
InterSpect
  • NGX
Connectra
  • NGX R62
  • NGX R61
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
CA eTrust Secure Content Manager 8
Vulnerability Description
A buffer overflow vulnerability was discovered in CA eTrust Secure Content Manager. CA eTrust Secure Content Manager (SCM) is a gateway product for Windows platform that secures, monitors, filters and blocks potential threats from messaging and Web traffic. It provides protection against malware, spam, phishing, P2P file sharing and prevents access to known spyware sites. A remote attacker can exploit this vulnerability to execute arbitrary code on a vulnerable system.
Vulnerability Details
The vulnerability is due to a boundary error in CA eTrust Secure Content Manager that fails to sufficiently check certain FTP responses. A remote attacker can exploit this issue by sending a specially crafted FTP PASV response to the target server. Successful exploitation of this vulnerability may allow the attacker to execute arbitrary code on the target system.

Protection Overview
SmartDefense performs a mandatory protection against the "FTP Bounce" attack, verifying the destination of the FTP PORT command. Users are protected against this vulnerability by default. No update is required to address this vulnerability except for IPS-1.

To configure the defense, select your product from the list below and follow the related protection steps.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
The protection is located in the SmartDefense tab > Application Intelligence > FTP > FTP Bounce.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: FTP Bounce
Attack Information: Invalid IP address in port/227 command

VPN-1 NGX R61 & R60

How Can I Protect My Network?
The protection is located in the SmartDefense tree > Application Intelligence > FTP > FTP Bounce.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: FTP Bounce
Attack Information: Invalid IP address in port/227 command

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
The protection is located in the SmartDefense tab > Application Intelligence > FTP > FTP Bounce.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: FTP Bounce
Attack Information: Invalid IP address in port/227 command

VPN-1 VSX NGX R65

How Can I Protect My Network?
The protection is located in the SmartDefense tab > Application Intelligence > FTP > FTP Bounce.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: FTP Bounce
Attack Information: Invalid IP address in port/227 command

VPN-1 VSX NGX

How Can I Protect My Network?
The protection is located in the SmartDefense tab > Application Intelligence > FTP > FTP Bounce.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: FTP Bounce
Attack Information: Invalid IP address in port/227 command

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.  
2. The protection is located in the SmartDefense tab > Application Intelligence > FTP > FTP Bounce.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: FTP Bounce
Attack Information: Invalid IP address in port/227 command

Connectra NGX R62 & R61

How Can I Protect My Network?
1. The protection is located in the left-hand menu > Security > SmartDefense > Application Intelligence > FTP > FTP Bounce

How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:

Attack Name: FTP Bounce
Attack Information: Invalid IP address in port/227 command

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > FTP, and select the FTP Command Attacks protection group.
3. Click Invalid port-related data (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:

Alert Name: ftp_commands
Description: invalid_port_arg_alert