Preemptive Protection against ProFTPD with mod_sql pre-authentication Vulnerability

Vulnerability
Protection

Check Point Reference:	CPAI-2010-169
Date Published:
Preemptive Since:
Severity:
Source:	http://www.phrack.org/issues.html?issue=67&id=7#article
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? ProFTPD 1.3.2rc2
Vulnerability Description A pre-authentication remote root heap overflow vulnerability was reported in the ProFTPD FTP Server. ProFTPD is a configurable GPL-licensed FTP server software.

Vulnerability Details
The vulnerability is an unbounded copy operation in sql_prepare_where().

Protection Overview
IPS-1 preemptively detects and blocks attempts to access FTP servers with user names that exceed a certain threshold in length. No update is required.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > FTP, and select the FTP Command Attacks protection group
3. Click Long FTP username (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: FTP Commands
Description: Long FTP username

Legal Notice for Threat Center Advisories