Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Protect Yourself from Multiple IMAP Vulnerabilities

Subscribe

Check Point Reference: SBP-2010-07
Date Published:
Severity:
Source: IPS Research Center
Protection Provided by: Security Gateway
  • R70
Who is Vulnerable?
IMAP Mail Servers
Vulnerability Description
The Internet Message Access Protocol (IMAP) is one of the two most prevalent Internet standard protocols for e-mail retrieval, the other being the Post Office Protocol (POP).Virtually all modern e-mail clients and mail servers support both protocols as a means of transferring e-mail messages from a server to a client.

There are several serious security limitations with the IMAP protocol that allow malicious attackers to compromise a remote server, gain full access rights or launch denial of service (DoS) attacks.
Vulnerability Details
IPS offers several preemptive protections against IMAP related vulnerabilities:

Empty IMAP Username - According to RFC 3501, a username must be provided in the IMAP LOGIN command. Not providing a username might indicate an attempt to attack the server. By activating this protection, IPS can detect or prevent IMAP connections with login attempts which do not contain a user.

Empty IMAP Password - According to RFC 3501, a password must be provided in the IMAP LOGIN command. Not providing a password might indicate an attempt to attack the server or enter the IMAP account without permission. In addition, enforcing a non-empty IMAP password policy increases security. By activating this protection, IPS can detect or prevent IMAP connections with login attempts which do not contain a password.

IMAP STARTTLS Command - RFC 3501 defines how to use encrypted TLS sessions for IMAP. By activating this protection, IPS can detect or prevent IMAP connections which are encrypted.

Non Compliant IMAP - Unexpected characters used in IMAP connections might indicate an attempt to attack the mail server. Such protocol violation is a declaration of a wrong size of IMAP literal arguments, as defined in 3501. By activating this protection, IPS can detect or prevent IMAP connections which cannot be inspected because they violate the IMAP protocol.

Protection Overview
IPS offers several preemptive protections against IMAP related vulnerabilities.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Mail > SMTP.
2. In the right pane, double-click the following protections:

Empty IMAP Username
Empty IMAP Password
IMAP STARTTLS Command
Non Compliant IMAP

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Empty IMAP Username
Attack Name: IMAP Policy Violation
Attack Information: No username supplied in LOGIN command

Empty IMAP Password
Attack Name: IMAP Policy Violation
Attack Information: No password supplied in LOGIN command

IMAP STARTTLS Command
Attack Name: IMAP Policy Violation
Attack Information: Illegal IMAP TLS session

Non Compliant IMAP
Attack Name: IMAP Security Violation
Attack Information:
Non protocol-compliant connection
Data line is too long
Out of expected state
Username length differs from declared IMAP literal size
Password length differs from declared IMAP literal size