Check Point Advisories

Security Best Practice: Protect Yourself from Multiple POP3 Vulnerabilities

Check Point Reference: SBP-2010-05
Date Published: 19 Jan 2010
Severity: High
Last Updated: Friday 01 January, 2010
Source: IPS Research Center
Protection Provided by:
Who is Vulnerable? POP3 Mail Servers
Vulnerability Description Post Office Protocol version 3 (POP3) is an electronic mail protocol used to retrieve messages stored in e-mail servers. POP3 is a 'pull' protocol. To check for messages, a client connects to its mail server and using the POP3 protocol, logins to its mailbox and 'pulls' out its messages. POP3 allows the remote client to view, download, list and delete messages.

There are several serious security limitations with the POP3 protocol that allow malicious attackers to compromise a remote server, gain full access rights or launch denial of service (DoS) attacks.
Vulnerability DetailsIPS offers several preemptive protections against POP3 related vulnerabilities:

Empty POP3 Username - According to RFC 1939, a username must be provided before downloading emails from the POP3 server. Not providing a username might indicate an attempt to attack the server. By activating this protection, IPS can detect or prevent POP3 connections with login attempts which do not contain a user.

Empty POP3 Password - According to RFC 1939, a password must be provided before downloading emails from the POP3 server. Not providing a password might indicate an attempt to attack the server or enter the POP3 account without permission. In addition, enforcing a non-empty POP3 password policy increases security. By activating this protection, IPS can detect or prevent POP3 connections with login attempts which do not contain a password.

Non Compliant POP3 - Unexpected characters used in POP3 connections might indicate an attempt to attack the mail server. By activating this protection, IPS can detect or prevent POP3 connections which cannot be inspected because they violate the fundamentals of the POP3 protocol.

POP3 STARTTLS Command - Block attempts to use encrypted TLS sessions for POP3, as defined in RFC 2595. By activating this protection, IPS can detect or prevent POP3 connections which are encrypted. Note: if this protection is not enabled and the POP3 session is encrypted, it may not be possible to enforce other POP3 protections for this connection.

Use Malicious Code Protector for POP3 - By manipulating the POP3 command arguments so that they contain assembler code, an attacker can create a memory corruption that can cause a server to crash or even run arbitrary code. An attack exploiting such vulnerability does not require user interaction. This allows the attack to spread easily via reusable exploit scripts or worms. By enabling this protection, IPS wi

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK