__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Zone Labs SMTP Processing Vulnerability [Zone Labs, February 18, 2004] February 19, 2004 19:00 GMT Number O-084 ______________________________________________________________________________ PROBLEM: Zone Labs desktop security product for their personal firewall processes Simple Mail Transfer Protocol (SMTP) in order to perform various security functions. An unchecked buffer vulnerability has been identified within the SMTP processes. SOFTWARE: ZoneAlarm family of products and Integrity client versions 4.0 and above used to protect a mail server. DAMAGE: A remote attacker could cause the firewall to stop processing traffic, execute arbitrary code, or elevate malicious code's privileges. SOLUTION: Vendor recommends upgrading to version 4.5.538.001. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker could gain root privileges. ASSESSMENT: Note that using ZoneAlarm to protect a server is not a recommended configuration. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-084.shtml ORIGINAL BULLETIN http://download.zonelabs.com/bin/free/securityAlert/8.html ______________________________________________________________________________ [***** Start Zone Labs, February 18, 2004 *****] Zone Labs SMTP Processing Vulnerability Overview: A security vulnerability exists in specific versions of ZoneAlarm®, ZoneAlarm Pro, ZoneAlarm Plus and the Zone Labs Integrity™ client. This vulnerability is caused by an unchecked buffer in Simple Mail Transfer Protocol (SMTP) processing which could lead to a buffer overflow. In order to exploit the vulnerability without user assistance, the target system must be operating as an SMTP server. Zone Labs does not recommend using our client security products to protect servers. Upgrading an affected Zone Labs product will remove this vulnerability. Date Published: February 18, 2004 Last Update: February 18, 2004 Impact: If successfully exploited, a skilled attacker could cause the firewall to stop processing traffic, execute arbitrary code, or elevate malicious code’s privileges. Zone Labs recommends affected users update their software to the current versions which address the issue. Affected Products: ZoneAlarm family of products and Integrity client versions 4.0 and above. Unaffected Products: ZoneAlarm and Integrity client versions earlier than 4.0. Integrity Server and Integrity Clientless Security products are not affected. Description: Zone Labs desktop security products process SMTP in order to perform various security functions. Due to an unchecked buffer in the SMTP processing system, a skilled attacker could cause the firewall to stop processing traffic or execute arbitrary code. Successful exploitation requires one of the following scenarios and applies only to SMTP traffic: A program listening on port 25/TCP (SMTP) of the target system. This condition is usually only present on SMTP servers. Zone Labs does not recommend using our client security products to protect servers. A malicious program running on the protected system could trigger the buffer overflow and gain SYSTEM privileges if the user or administrator has given it permission to access the network. In all cases, the program requesting network access must be approved by the user through the Program Control policy. Recommended Actions: ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro users should upgrade to version: 4.5.538.001. To update your Zone Labs client product: Select Overview > Preferences. In the Check for Updates area, choose an update option. Automatically: Zone Labs security software automatically notifies you when an update is available. Manually: You monitor the Status tab for updates. To invoke an update check immediately, click "Check for Update". Integrity 4.0 users should upgrade to Integrity client version: 4.0.146.046. Integrity 4.5 users should upgrade to Integrity client version: 4.5.085. Integrity updates are available on the Zone Labs Enterprise Support web site. Related Resources: Zone Labs Security Services http://www.zonelabs.com/store/content/support/securityUpdate.jsp Acknowledgments: Zone Labs would like to acknowledge eEye Digital Security for reporting this issue to Zone Labs. Contact: Zone Labs customers who are concerned about these vulnerabilities or have additional technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp. To report security issues with Zone Labs products contact security@zonelabs.com. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. Copyright: ©2004 Zone Labs, Inc. All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs, Inc. The Zone Labs logo, Zone Labs Integrity and IMsecure are trademarks of Zone Labs, Inc. Zone Labs Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs, Inc. All other trademarks are the property of their respective owners. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs. [***** End Zone Labs, February 18, 2004 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Zone Labs for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-074: Red Hat Cross-site Scripting Vulnerability in Mailman Package O-075: RealPlayer / RealOne Player Buffer Overrun Vulnerabilities O-076: MS Vulnerability in Virtual PC for Mac O-077: MS Vulnerability in the Windows Internet Naming Service (WINS) O-078: Samba - Unauthorized Access to SMB Accounts O-079: SGI - Userland Binary Vulnerabilities O-080: Novell iChain Telnet Service Vulnerability O-081: Red Hat Updated XFree86 Packages Fix Privilege Escalation Vulnerability O-082: Red Hat Updated Kernel Packages Resolve Security Vulnerabilities O-083: Red Hat Updated Metamail Packages Fix Vulnerabilities