This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Problems with SMTP after latest Vuln Profile update?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problems with SMTP after latest Vuln Profile update?

bradenmcg
L3 Networker

‎02-17-2011 02:55 PM

Anyone else seeing a bunch of their SMTP connections blocked by this signature after the latest update?

Name:SMTP EHLO/HELO overlong argument anomaly
ID:30384
Description:This anomaly would be triggered when an overlong parameter is sent to the HELOcommand of SMTP protocol. Some servers such as Tabs Laboratories MailCarrier2.51 might be prone to an overflow vulnerability while parsing the craftedrequest.A successful attack could lead to remote code execution with the privileges of the current logged-in user. 

I don't use any of the affected software so I am going to whitelist that ID, but the fact that it was just added to the system and caused me problems seemed to be something that shouldn't happen...

0 Likes Likes
3 REPLIES 3

rapoint_person
L3 Networker

‎02-18-2011 12:17 AM

What version are we talking about?

0 Likes Likes

bradenmcg
L3 Networker
In response to rapoint_person

‎02-18-2011 09:04 AM

232-884Apps, ThreatsFull12 MB2011/02/15 10:46:28

I believe I'm seeing it in relation to a recent SSL cert update I installed on my mail and anti-spam units (both of which do send outbound mail as well).  I don't know if the latest threat update is at fault; it may happen with the previous releases as well (but I don't want to roll back right now to test).

The new cert is a wildcard cert from DigiCert, and I have several subject alternative names (SANs) on it, which make the whole thing much longer than a standard cert when it is presented in an SMTP HELO/EHLO.

The vuln profile itself may not actually be at "fault" here in that it may not be the newest version causing the problem...  however, a completely legit EHLO responding to a STARTTLS request shouldn't be triggering the profile to block traffic.

0 Likes Likes

rapoint_person
L3 Networker
In response to bradenmcg

‎02-18-2011 10:36 AM

Yep, Sounds like it should be related to your certificate. The CVE is old, so I guess this is an issue in the previous version/versions as well. I think you may need to dive in to the release notes and se what has changed if no one else here can aid. If all else fails open a case. Would like to hear how things turn out though!

Btw, Do you know for a fact that your server is subject for the threat mentioned? If not, start by exempting the threat-id until it is resolved.

  • 2328 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks