Update Protection against Multiple IMAP Vulnerabilities (FETCH, EXAMINE, APPEND)
| Check Point Reference: | CPAI-2006-046 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | FrSIRT/ADV-2005-3005 OSVDB ID: 23796 |
|
| Industry Reference(s): | CVE-2007-1301 CVE-2005-4267 CVE-2005-3526 CVE-2005-0707 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Eudora Qualcomm WorldMail version 3.0 and earlier versions Ipswitch Collaboration Suite 2006.02 and earlier versions | ||
| Vulnerability Description Several IMAP servers from several vendors are vulnerable to a buffer overflow condition due to failure to handle overly long IMAP commands. These vulnerabilities can be exploited by remote attackers to execute arbitrary commands. |
||
|
Update/Patch Available |
|
|
Vulnerability Details CVE-2005-3526:A buffer overflow was detected in the IMAP daemon in Ipswitch Collaboration Suite 2006.02 and earlier versions. The vulnerability could allow remote authenticated users to execute arbitrary code via a long FETCH command.
CVE-2005-0707: A buffer overflow was detected in the IMAP daemon in Ipswitch Collaboration Suite 2006.02 and earlier versions. The vulnerability could allow remote authenticated users to execute arbitrary code via a long EXAMINE command. CAN-2005-4267: A vulnerability has been identified in Eudora Qualcomm WorldMail, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing overly long IMAP commands such as APPEND or AUTHENTICATE. |
Protection Overview
The update blocks overly long IMAP commands including FETCH, EXAMINE and APPEND that may cause buffer overflows on some IMAP servers.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The update from May 21 includes the following protections:
Vulnerability in Microsoft Data Access Components (MDAC) Function (MS06-014) - CPAI-2006-043
Internet Explorer mhtml Redirection Vulnerability - CPAI-2006-044
Winny P2P Remote Buffer Overflow Vulnerability - CPAI-2006-045
IMAP Multiple Vulnerabilities - CPAI-2006-046
Enhanced Protection against Microsoft FrontPage XSS Vulnerability (MS06-017) - CPAI-2006-035
MYSQL Protections - CPSA-2006-04 (InterSpect NGX only)
Exclusion List for HTTP Client Protections
VPN-1 NGX R61
How Can I Protect My Network?
1. Update your SmartDefense: Click the SmartDefense Services tab, In the left pane from the drop-down list, click Download Updates and then click the Online Update button.
2. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the protections underneath:
Block FETCH Command Buffer Overflow
Block EXAMINE Command Buffer Overflow
Block APPEND Command Buffer Overflow
Apply MCP to IMAP Commands
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
FETCH Command Buffer Overflow
EXAMINE Command Buffer Overflow
APPEND Command Buffer Overflow
Malicious Code Detetced in IMAP Commands
VPN-1 NGX R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the protections underneath:
Block FETCH Command Buffer Overflow
Block EXAMINE Command Buffer Overflow
Block APPEND Command Buffer Overflow
Apply MCP to IMAP Commands
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will display the following log entries:
Attack Name: IMAP Protocol Violation
Attack Information:
FETCH Command Buffer Overflow
EXAMINE Command Buffer Overflow
APPEND Command Buffer Overflow
Malicious Code Detected in IMAP Command
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. Update SmartDefense by clicking Update Now in the SmartDashboard General window.
2. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the protections underneath:
Block FETCH Command Buffer Overflow
Block EXAMINE Command Buffer Overflow
Block APPEND Command Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Users of VPN-1 NG with Application Intelligence R55 will identify rules 99143, 99144 and 99145 in the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the protections underneath:
Block FETCH Command Buffer Overflow
Block EXAMINE Command Buffer Overflow
Block APPEND Command Buffer Overflow
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Users of VPN-1 NG with Application Intelligence R55 will identify rules 99143, 99144 and 99145 in the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
3. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the protections underneath:
Block FETCH Command Buffer Overflow
Block EXAMINE Command Buffer Overflow
Block APPEND Command Buffer Overflow
Apply MCP to IMAP Commands
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
FETCH Command Buffer Overflow
EXAMINE Command Buffer Overflow
APPEND Command Buffer Overflow
Malicious Code Detetced in IMAP Commands
InterSpect 2.0
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the protections underneath:
Block FETCH Command Buffer Overflow
Block EXAMINE Command Buffer Overflow
Block APPEND Command Buffer Overflow
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
FETCH Command Buffer Overflow
EXAMINE Command Buffer Overflow
APPEND Command Buffer Overflow
Connectra NGX R61
How Can I Protect My Network?
1. Update SmartDefense: On the navigation tree, click Security > SmartDefense Updates; In the Download updated content pane, enter your credentials and then click Download Updates.
2. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
3. In the Dynamic Attacks pane, click the following:
Block FETCH Command Buffer Overflow
Block EXAMINE Command Buffer Overflow
Block APPEND Command Buffer Overflow
Apply MCP to IMAP Commands
How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:
Attack Name: IMAP Protocol Violation
Attack Information:
FETCH Command Buffer Overflow
EXAMINE Command Buffer Overflow
APPEND Command Buffer Overflow
Malicious Code Detected in IMAP Command