Update Protection against Multiple Microsoft Windows Active Directory Crafted LDAP Request Vulnerabilities (MS07-039)

Vulnerability
Protection

Check Point Reference:	CPAI-2007-086
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS07-039
Industry Reference(s):	CVE-2007-3028 CVE-2007-0040
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55W NG with Application Intelligence R55 VSX NGX InterSpect NGX 2.0 and 1.x Connectra NGX R62 NGX R61
Who is Vulnerable? Microsoft Windows 2000 Server SP4 Windows Server 2003 SP 1 and Windows Server 2003 SP2 Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition SP2 Windows Server 2003 with SP1 (Itanium) Windows Server 2003 with SP2 (Itanium)
Vulnerability Description Multiple vulnerabilities have been reported in Microsoft Windows Active Directory. The flaws are in the way the Active Directory handles LDAP requests. Lightweight Directory Access Protocol (LDAP) is Internet standard protocol designed for querying and modifying directory services. The vulnerabilities could be exploited by remote attackers to crash the service or execute arbitrary code on an affected system.

Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS07-039

Vulnerability Details
The flaws are due to errors within the Microsoft Windows Active Directory that fails to properly handle specially crafted LDAP requests. A Remote attacker can exploit this issue via a specially crafted Search or Modify LDAP request sent to a vulnerable system. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on an affected server.

Protection Overview
By enabling this protection, SmartDefense will detect and block the transferring of malformed LDAP Search and Modify requests.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on August 6, 2007 includes the following protections:

Microsoft Excel Remote Code Execution Vulnerability (MS07-036) CPAI-2007-085
Multiple Microsoft Windows Active Directory Crafted LDAP Request Vulnerabilities (MS07-039) CPAI-2007-086
Microsoft Office Publisher 2007 Remote Code Execution Vulnerability (MS07-037) CPAI-2007-087

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > LDAP, and select the following protections:

Block LDAP Search Request Vulnerability (MS07-039)
Block LDAP Modify Request Vulnerability (MS07-039)

2. In the configuration pane, under settings > Mode, check Active.

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: LDAP Protections
Attack Information:
LDAP search request DoS attempt detected (MS07-039)
LDAP modify request DoS attempt detected (MS07-039)

VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > LDAP.
2. Select the following protections: