Anyone else seeing a bunch of their SMTP connections blocked by this signature after the latest update?
|Name:||SMTP EHLO/HELO overlong argument anomaly|
|Description:||This anomaly would be triggered when an overlong parameter is sent to the HELOcommand of SMTP protocol. Some servers such as Tabs Laboratories MailCarrier2.51 might be prone to an overflow vulnerability while parsing the craftedrequest.A successful attack could lead to remote code execution with the privileges of the current logged-in user.|
I don't use any of the affected software so I am going to whitelist that ID, but the fact that it was just added to the system and caused me problems seemed to be something that shouldn't happen...
|232-884||Apps, Threats||Full||12 MB||2011/02/15 10:46:28|
I believe I'm seeing it in relation to a recent SSL cert update I installed on my mail and anti-spam units (both of which do send outbound mail as well). I don't know if the latest threat update is at fault; it may happen with the previous releases as well (but I don't want to roll back right now to test).
The new cert is a wildcard cert from DigiCert, and I have several subject alternative names (SANs) on it, which make the whole thing much longer than a standard cert when it is presented in an SMTP HELO/EHLO.
The vuln profile itself may not actually be at "fault" here in that it may not be the newest version causing the problem... however, a completely legit EHLO responding to a STARTTLS request shouldn't be triggering the profile to block traffic.
Yep, Sounds like it should be related to your certificate. The CVE is old, so I guess this is an issue in the previous version/versions as well. I think you may need to dive in to the release notes and se what has changed if no one else here can aid. If all else fails open a case. Would like to hear how things turn out though!
Btw, Do you know for a fact that your server is subject for the threat mentioned? If not, start by exempting the threat-id until it is resolved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!