Check Point Advisories

Microsoft Exchange Server EMSMDB32 Literal Processing (MS09-003; CVE-2009-0099)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-014
Date Published:	10 Feb 2009
Severity:	Critical
Last Updated:	Tuesday 10 November, 2015
Source:
Industry Reference:	CVE-2009-0099
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	The Microsoft Exchange Server is an implementation of an email server capable of handling numerous Internet protocol, including the Simple Mail Transfer Protocol (SMTP). The EMSMDB32 provider refers to the Exchange Transport provider which implements both a transport and a message store provider for MAPI. The vulnerability is due to an error in the Exchange server that incorrectly handles a command in the EMSMDB32 provider. A remote attacker may exploit this issue by sending a specially crafted MAPI command to a Microsoft Exchange server. Successful exploitation of this issue will create a denial of service condition, causing the mail service to stop responding.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability. Note that in order to enforce this protection, define the Microsoft Exchange server as a Mail Server.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft Exchange Server EMSMDB32 Literal Processing (MS09-003) protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: SMTP Protection Violation.
Attack Information: Microsoft Exchange server EMSMDB32 literal processing (MS09-003)