Check Point Advisories

McAfee WebShield SMTP Bounce Message Format String (CVE-2006-0559)

Check Point Reference: CPAI-2006-216
Date Published: 21 Feb 2010
Severity: Critical
Last Updated: Monday 01 May, 2023
Industry Reference:CVE-2006-0559
Protection Provided by:

Security Gateway
R81, R80, R77, R75

Who is Vulnerable?
Vulnerability Description McAfee WebShield SMTP is an application designed to scan incoming SMTP messages for viruses before forwarding them to their destinations. Since WebShield may be set up to work independently of any real SMTP servers, it can act as a partially-featured SMTP server on its own, with respect to receiving and sending messages. During normal operation, the application will accept SMTP messages, scan them, and forward them to their intended destinations if no malicious content is detected by the Textscanner. There exists a format string vulnerability in the SMTP virus scanning software, McAfee WebShield SMTP. An unauthenticated attacker may leverage the vulnerability to inject and execute arbitrary code in the context of the running service, normally System. In case of an attack where code execution is unsuccessful, the service will terminate and all the other connections are severe. In the case of a successful attack attempt, the behaviour of the target host cannot be predicted as it is entirely dependent on the intention of the injected code. Note that in both cases, the target SMTP service will be terminated permanently.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R81 / R80 / R77 / R75

  1. In the IPS tab, click Protections and find the McAfee WebShield SMTP Bounce Message Format String protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  SMTP Protection Violation.
Attack Information:  McAfee WebShield SMTP Bounce Message Format String

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.