Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Exchange Server EMSMDB32 Literal Processing Vulnerability (MS09-003)

Subscribe

Check Point Reference: CPAI-2009-014
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS09-003
Industry Reference(s): CVE-2009-0099
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
VSX
  • NGX R65
InterSpect
  • NGX
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Exchange Server 2003 SP2
Microsoft Exchange Server 2000 SP3 with the Update Rollup of August 2004
Vulnerability Description
A denial of service vulnerability has been reported in the way the Electronic Messaging System Microsoft Data Base, 32 bit build (EMSMDB32) provider handles invalid MAPI commands. The EMSMDB32 provider refers to the Exchange Transport provider which implements both a transport and a message store provider for MAPI. It provides the ability to submit messages to Exchange Server and to read messages to an Exchange store process. A remote attacker may exploit this issue to create a denial of service condition on a target system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS09-003
Vulnerability Details
The vulnerability is due to an error in the Exchange server that incorrectly handles a command in the EMSMDB32 provider. A remote attacker may exploit this issue by sending a specially crafted MAPI command to a Microsoft Exchange server. Successful exploitation of this issue will create a denial of service condition, causing the mail service to stop responding.

Protection Overview
By enabling this protection, SmartDefense will detect and block attempts to exploit this vulnerability. Note that in order to enforce this protection, define the Microsoft Exchange server as a Mail Server.

By enabling this protection, IPS-1 will detect and block Malformed UDP packets being sent to the Exchange server. To enforce the protection, In addition, make sure the variable 'Enable MS09-003 UDP detection for MS exchange' in the SMTP group is checked, and the address of the exchange servers is in 'Local Microsoft Exchange servers'.

In order for the protection to be activated, update your VPN-1 product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > SMTP > Microsoft Exchange Server EMSMDB32 Literal Processing (MS09-003).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: Microsoft Exchange server EMSMDB32 literal processing (MS09-003)

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail SMTP.
2. Enable the following protection:

Microsoft Exchange Server EMSMDB32 Literal Processing (MS09-003)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: Microsoft Exchange server EMSMDB32 literal processing (MS09-003)

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > SMTP > Microsoft Exchange Server EMSMDB32 Literal Processing (MS09-003).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: Microsoft Exchange server EMSMDB32 literal processing (MS09-003)

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Mail > SMTP.
3. Select the following protection:

Microsoft Exchange Server EMSMDB32 Literal Processing (MS09-003)

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: Microsoft Exchange server EMSMDB32 literal processing (MS09-003)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > SMTP2, and select the protection group.
3. Click Exchange UDP DoS (MS09-003) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

In addition, make sure the variable Enable MS09-003 UDP detection for MS Exchange in the SMTP group is checked, and the address of the Exchange servers is in Local Microsoft Exchange servers.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: SMTP Exchange
Description: Exchange UDP DoS (MS09-003)