Check Point Advisories

Ipswitch WS_FTP Client Format String (CVE-2008-3734)

Vulnerability
Protection

Check Point Reference:	CPAI-2008-333
Date Published:	10 Mar 2010
Severity:	High
Last Updated:	Wednesday 10 March, 2010
Source:
Industry Reference:	CVE-2008-3734
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	The Ipswitch WS_FTP client is a popular file transfer client which is fully compliant with the File Transfer Protocol (FTP) specifications. A format string vulnerability exists in the Ipswitch WS_FTP client FTP product. The vulnerability is due to the input validation flaw, when parsing a message received by the client from a remote FTP server. A remote attacker may entice the target user to connect to a malicious FTP server and exploit the vulnerability for code injection and execution under the security context of the currently logged in user. In an attack scenario, where arbitrary code is attempted to be injected and executed on the target machine, the behavior of the target is dependent on the intention of the malicious code. If the attack code is not executed successfully, the vulnerable application may terminate as a result of memory corruption.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the Ipswitch WS_FTP Client Format String protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: FTP Enforcement Violation.
Attack Information: Ipswitch WS_FTP client format string