Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsIntrusion attempts335Affected:No specific targets.False Positives: None known.References: http://www.whitehats.com (arachNIDS #245)SMTP SpecificationsSMTP HELO Buffer Overflow AttemptBase Event:Details:Response:Affected:SMTP_CLIENT_HELO_BOFAn overflow attempt was detected against the SMTP daemon. This usually indicates that anattacker is attempting sendmail overflow attacks. A buffer overflow is usually an attempt to gainaccess to the system by having the targeted service execute code on the attacker’s behalf whichmodifies the system in some way.Response typically involves locating the source and verifying if it is a legitimate client or not. If yoususpect the attack was successful, an audit of the victim system is also useful.No specific targets.False Positives: None known.References:SMTP SpecificationsSMTP Overflow AttemptBase Event:Details:Response:Affected:SMTP_PROBABLE_NOOP_BUFFER_EXPLOITNO-OP instructions were found in a email recipient’s address. This may indicate an attemptedbuffer overflow attack.Location and audit of client and server is recommended. Examination of the packet contents mayprovide some additional information about the particular command.No specific targets.False Positives: None known.References:SMTP SpecificationsSMTP Sendmail Header OverflowBase Event:Details:Response:SMTP_SENDMAIL_BOSendmail is a widely used Mail Transfer Agent (MTA) for UNIX and Microsoft Windows systems.A remotely exploitable vulnerability has been discovered in Sendmail. The vulnerability is due to abuffer overflow condition in the SMTP header parsing component. Remote attackers may exploitthis vulnerability by connecting to target SMTP servers and transmitting to them malformed SMTPdata.The overflow condition occurs when Sendmail processes incoming e-mail messages containingmalformed address parameters in a field such as “From:” or “CC:”. One of the checks to ensure thatthe addresses are valid is flawed, resulting in a buffer overflow condition. Successful attackers mayexploit this vulnerability to gain root privileges on affected servers remotely.An exploit for this vulnerability is currently circulating on the internet.Administrators are advised to upgrade to 8.12.8 or apply available patches to prior versions of the8.x tree.