https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6057#M4398 <HTML><HEAD></HEAD><BODY><TABLE border="0" cellpadding="0" cellspacing="0" style="border-top-width: 1px; border-top-style: solid; border-top-color: #a4bccf;"><TBODY><TR id="content-232-884"><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">232-884</TD><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">Apps, Threats</TD><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">Full</TD><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">12 MB</TD><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">2011/02/15 10:46:28</TD></TR></TBODY></TABLE><P></P><P>I believe I'm seeing it in relation to a recent SSL cert update I installed on my mail and anti-spam units (both of which do send outbound mail as well).&nbsp; I don't know if the latest threat update is at fault; it may happen with the previous releases as well (but I don't want to roll back right now to test).</P><P></P><P>The new cert is a wildcard cert from DigiCert, and I have several subject alternative names (SANs) on it, which make the whole thing much longer than a standard cert when it is presented in an SMTP HELO/EHLO.</P><P></P><P>The vuln profile itself may not actually be at "fault" here in that it may not be the newest version causing the problem...&nbsp; however, a completely legit EHLO responding to a STARTTLS request shouldn't be triggering the profile to block traffic.</P></BODY></HTML> Fri, 18 Feb 2011 17:04:28 GMT bradenmcg 2011-02-18T17:04:28Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6055#M4396 <HTML><HEAD></HEAD><BODY><P>Anyone else seeing a bunch of their SMTP connections blocked by this signature after the latest update?</P><P></P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" style="padding-bottom: 10px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #dddddd;"><TBODY><TR><TD style="padding-top: 3px; padding-right: 10px; padding-bottom: 5px; padding-left: 4px; font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; background-color: #ffffff; font-weight: bold; text-align: right; vertical-align: top;" width="180">Name:</TD><TD style="padding-top: 3px; padding-right: 10px; padding-bottom: 5px; padding-left: 4px; font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; background-color: #ffffff; vertical-align: top;">SMTP EHLO/HELO overlong argument anomaly</TD></TR><TR><TD style="padding-top: 3px; padding-right: 10px; padding-bottom: 5px; padding-left: 4px; font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; background-color: #ffffff; font-weight: bold; text-align: right; vertical-align: top;" width="180">ID:</TD><TD style="padding-top: 3px; padding-right: 10px; padding-bottom: 5px; padding-left: 4px; font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; background-color: #ffffff; vertical-align: top;">30384</TD></TR><TR><TD style="padding-top: 3px; padding-right: 10px; padding-bottom: 5px; padding-left: 4px; font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; background-color: #ffffff; font-weight: bold; text-align: right; vertical-align: top;">Description:</TD><TD style="padding-top: 3px; padding-right: 10px; padding-bottom: 5px; padding-left: 4px; font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; background-color: #ffffff; vertical-align: top;">This anomaly would be triggered when an overlong parameter is sent to the HELOcommand of SMTP protocol. Some servers such as Tabs Laboratories MailCarrier2.51 might be prone to an overflow vulnerability while parsing the craftedrequest.A successful attack could lead to remote code execution with the privileges of the current logged-in user.&nbsp; </TD></TR></TBODY></TABLE><P></P><P></P><P>I don't use any of the affected software so I am going to whitelist that ID, but the fact that it was just added to the system and caused me problems seemed to be something that shouldn't happen...</P></BODY></HTML> Thu, 17 Feb 2011 22:55:14 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6055#M4396 bradenmcg 2011-02-17T22:55:14Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6056#M4397 <HTML><HEAD></HEAD><BODY><P>What version are we talking about? </P></BODY></HTML> Fri, 18 Feb 2011 08:17:48 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6056#M4397 rapoint_person 2011-02-18T08:17:48Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6057#M4398 <HTML><HEAD></HEAD><BODY><TABLE border="0" cellpadding="0" cellspacing="0" style="border-top-width: 1px; border-top-style: solid; border-top-color: #a4bccf;"><TBODY><TR id="content-232-884"><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">232-884</TD><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">Apps, Threats</TD><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">Full</TD><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">12 MB</TD><TD style="font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 11px; padding-top: 3px; padding-right: 4px; padding-bottom: 3px; padding-left: 4px; border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #a4bccf; border-right-width: 1px; border-right-style: solid; border-right-color: #a4bccf;">2011/02/15 10:46:28</TD></TR></TBODY></TABLE><P></P><P>I believe I'm seeing it in relation to a recent SSL cert update I installed on my mail and anti-spam units (both of which do send outbound mail as well).&nbsp; I don't know if the latest threat update is at fault; it may happen with the previous releases as well (but I don't want to roll back right now to test).</P><P></P><P>The new cert is a wildcard cert from DigiCert, and I have several subject alternative names (SANs) on it, which make the whole thing much longer than a standard cert when it is presented in an SMTP HELO/EHLO.</P><P></P><P>The vuln profile itself may not actually be at "fault" here in that it may not be the newest version causing the problem...&nbsp; however, a completely legit EHLO responding to a STARTTLS request shouldn't be triggering the profile to block traffic.</P></BODY></HTML> Fri, 18 Feb 2011 17:04:28 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6057#M4398 bradenmcg 2011-02-18T17:04:28Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6058#M4399 <HTML><HEAD></HEAD><BODY><P>Yep, Sounds like it should be related to your certificate. The CVE is old, so I guess this is an issue in the previous version/versions as well. I think you may need to dive in to the release notes and se what has changed if no one else here can aid. If all else fails open a case. Would like to hear how things turn out though!</P><P></P><P>Btw, Do you know for a fact that your server is subject for the threat mentioned? If not, start by exempting the threat-id until it is resolved.</P></BODY></HTML> Fri, 18 Feb 2011 18:36:51 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-smtp-after-latest-vuln-profile-update/m-p/6058#M4399 rapoint_person 2011-02-18T18:36:51Z