Check Point Advisories

Multiple Products STARTTLS Plaintext Command Injection (CVE-2011-0411; CVE-2014-3556)

Vulnerability
Protection

Check Point Reference:	CPAI-2011-245
Date Published:	3 May 2011
Severity:	Critical
Last Updated:	Tuesday 28 February, 2023
Source:
Industry Reference:	CVE-2011-0411 CVE-2014-3556
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	STARTTLS is an extension to plaintext communication protocols that offers a way to upgrade plain text communications to an encrypted (TLS or SSL) connection. Protocols such as SMTP and FTP can be TLS-secured with a compatible server by a client sending the STARTTLS command. A command injection vulnerability has been reported on server implementations of the STARTTLS extension. The vulnerability could allow an attacker to inject commands during the plaintext phase, that will be executed during the ciphertext phase. A remote attacker could leverage this issue to perform a man-in-the-middle attack, by injecting commands in the STARTTLS command. This could result in execution of the attacker's commands without the knowledge of a target or client.

Protection Overview

This protection detects and blocks malformed STARTTLS commands.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R81 / R80 / R77 / R75

In the IPS tab, click Protections and find the Multiple Products STARTTLS Plaintext Command Injection protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: SMTP Protection Violation.
Attack Information: Multiple Products STARTTLS Plaintext Command Injection