Check Point Advisories

Postfix SMTP Server SASL Authentication Memory Corruption (CVE-2011-1720)

Vulnerability
Protection

Check Point Reference:	CPAI-2011-380
Date Published:	16 Aug 2011
Severity:	Critical
Last Updated:	Tuesday 16 August, 2011
Source:
Industry Reference:	CVE-2011-1720
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	A memory corruption vulnerability has been reported in Postfix SMTP server. Postfix is a popular mail server for Unix-like platforms. The vulnerability is specific to Postfix servers that use Cyrus Simple Authentication and Security Layer (SASL) library. SASL is a framework for providing authentication and data security services in connection-oriented protocols via replaceable mechanisms. The vulnerability is due to an error in the Postfix SMTP server when attempting to create a new SASL server handle following a client authentication failure.A remote attacker can trigger this flaw by sending an AUTH command to the affected server, using certain Cyrus SASL authentication methods. Successful exploitation may lead to a memory corruption condition, which may be leveraged by an attacker to execute arbitrary code on the affected system.

Protection Overview

This protection will detect and block attempts to transfer malicious AUTH commands.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the Postfix SMTP Server SASL Authentication Memory Corruption protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: SMTP Protection Violation.
Attack Information: Postfix SMTP Server SASL authentication memory corruption