Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Apache LDAP HTTP Server Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2006-106
Date Published:
Severity:
Last Updated:
Source: FrSIRT/ADV-2006-3017
Industry Reference(s): CVE-2006-3747
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Connectra
  • NGX R61
Who is Vulnerable?
Apache versions 1.3.28 through 1.3.36
Apache versions 2.0.46 through 2.0.58
Apache versions 2.2.0 through 2.2.2
Vulnerability Description
A vulnerability exists in Apache HTTP Server. Attackers can trigger this vulnerability via crafted URLs that are not properly handled using certain Rewrite rules. This issue only affects installations using Rewrite rules with specific characteristics. This flaw allows attackers to cause denial of service and possibly to execute arbitrary code.
Update/Patch Available
Upgrade to Apache version 1.3.37, 2.0.59, or 2.2.3 :
http://httpd.apache.org/download.cgi
Vulnerability Details
This vulnerability is due to a buffer overflow error in the Rewrite module, mod_rewrite function when processing a specially crafted LDAP URI. Successful exploitation could reportedly result in remote code execution on the vulnerable server or in the crashing of web server processes.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on pre-defined worm signatures.

In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice. 

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on September 12, 2006 includes the following protections: 

Malformed IMAP Commands Protection (CPAI-2006-098)
Protection against Microsoft Windows DHCP Remote Code Execution (MS06-036) - CPAI-2006-101
MiniBB Remote File Vulnerabilities (CPAI-2006-102)
GraceNote (CDDB) Control ActiveX Vulnerability (CPAI-2006-103)
Microsoft Internet Explorer 6 (Internet.HHCtrl) Vulnerability (CPAI-2006-104)
Microsoft Internet Explorer UTF-8 Decoding Vulnerability (MS06-021) - CPAI-2006-105
Apache LDAP HTTP Server Buffer Overflow Vulnerability (CPAI-2006-106)
Pre-Patch Workaround for Microsoft Windows Vulnerabilities (SBP-2006-06)

VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following pattern:

Apache LDAP HTTP Server Buffer Overflow Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apache LDAP HTTP Server Buffer Overflow Vulnerability

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following pattern:

Apache LDAP HTTP Server Buffer Overflow Vulnerability

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apache LDAP HTTP Server Buffer Overflow Vulnerability

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following pattern:

Apache LDAP HTTP Server Buffer Overflow Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apache LDAP HTTP Server Buffer Overflow Vulnerability

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

Apache LDAP HTTP Server Buffer Overflow Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apache LDAP HTTP Server Buffer Overflow Vulnerability

InterSpect 2.0

How Can I Protect My Network?
1. In the SmartDefense tree, click Web > General HTTP Worm Defender.
2. Enable the following pattern:

Apache LDAP HTTP Server Buffer Overflow Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apache LDAP HTTP Server Buffer Overflow Vulnerability

Connectra NGX R61

How Can I Protect My Network?
1. In the navigation tree, click Web Intelligence. In the Malicious Code Protection pane click General HTTP Worm Catcher.
2. Enable the following pattern:

Apache LDAP HTTP Server Buffer Overflow Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: HTTP Worm Catcher
Attack Information: Apache LDAP HTTP Server Buffer Overflow Vulnerability