[Full-Disclosure] Zone Labs Security Advisory ZL04-08 - SMTP processing vulnerability

From: Zone Labs Product Security (Product-Security_at_zonelabs.com)
Date: 02/19/04

  • Next message: Jorrit Kronjee: "Re: [Full-Disclosure] Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
    To: <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <vulnwatch@vulnwatch.org>
    Date: Wed, 18 Feb 2004 16:33:05 -0800

    Hash: SHA1

    Zone Labs Security Advisory ZL04-008
    Zone Labs SMTP Processing Vulnerability

    Date Published February 18, 2004
    Date Last Revised February 18, 2004

    Severity Medium


    A security vulnerability exists in specific versions of ZoneAlarm,
    ZoneAlarm Pro, ZoneAlarm Plus and the Zone Labs Integrity client.
    This vulnerability is caused by an unchecked buffer in Simple Mail
    Transfer Protocol (SMTP) processing which could lead to a buffer
    overflow. In order to exploit the vulnerability without user
    assistance, the target system must be operating as an SMTP server.
    Zone Labs does not recommend using our client security products to
    protect servers.

    Upgrading an affected Zone Labs product will remove this


    If successfully exploited, a skilled attacker could cause the
    firewall to stop processing traffic, execute arbitrary code, or
    elevate malicious code's privileges.

    Zone Labs recommends affected users update their software to the
    current versions which address the issue.
    Affected Products
        * ZoneAlarm family of products and Integrity client versions
          4.0 and above

    Unaffected Products
        * ZoneAlarm and Integrity client versions earlier than 4.0

    Integrity Server and Integrity Clientless Security products are not


    Zone Labs desktop security products process SMTP in order to perform
    various security functions. Due to an unchecked buffer in the SMTP
    processing system, a skilled attacker could cause the firewall to
    stop processing traffic or execute arbitrary code.

    Successful exploitation requires one of the following scenarios and
    applies only to SMTP traffic:

        * A program listening on port 25/TCP (SMTP) of the target system.
          This condition is usually only present on SMTP servers.
          Zone Labs does not recommend using our client security products
          to protect servers.

        * A malicious program running on the protected system could
          trigger the buffer overflow and gain SYSTEM privileges if the
          user or administrator has given it permission to access the

    In all cases, the program requesting network access must be approved
    by the user through the Program Control policy.

    Recommended Actions

    ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro users should upgrade to
    version: 4.5.538.001

    To update your Zone Labs client product:

        1. Select Overview | Preferences.

        2. In the Check for Updates area, choose an update option.

        Automatically: Zone Labs security software automatically notifies
        you when an update is available.

        Manually: You monitor the Status tab for updates. To invoke an
        update check immediately, click Check for Update.

    Integrity 4.0 users should upgrade to Integrity client version:

    Integrity 4.5 users should upgrade to Integrity client version:

    Integrity updates are available on the Zone Labs Enterprise Support
    web site.

    Related Resources

        * Zone Labs Security Services:


    Zone Labs would like to acknowledge eEye Digital Security for
    reporting this issue to Zone Labs.


    Zone Labs customers who are concerned about this vulnerabilities or
    have additional technical questions may reach our Technical Support
    group at: http://www.zonelabs.com/support/

    To report security issues with Zone Labs products contact:


    The information in the advisory is believed to be accurate at the
    time of publishing based on currently available information. Use of
    the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct,
    indirect, or consequential loss or damage arising from use of, or
    reliance on, this information. Zone Labs and Zone Labs products, are
    registered trademarks of Zone Labs Incorporated and/or affiliated
    companies in the United States and other countries. All other
    registered and unregistered trademarks represented in this document
    are the sole property of their respective companies/owners.


    2004 Zone Labs, Inc. All rights reserved. Zone Labs, TrueVector,
    ZoneAlarm, and Cooperative Enforcement are registered trademarks of
    Zone Labs, Inc. The Zone Labs logo, Zone Labs Integrity and IMsecure
    are trademarks of Zone Labs, Inc. Zone Labs Integrity protected under
    U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative
    Enforcement is a service mark of Zone Labs, Inc. All other trademarks
    are the property of their respective owners.

    Permission to redistribute this alert electronically is granted as
    long as it is not edited in any way unless authorized by Zone Labs.
    Reprinting the whole or part of this alert in any medium other than
    electronically requires permission from Zone Labs.

    Version: PGP 8.0.2

    -----END PGP SIGNATURE-----

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jorrit Kronjee: "Re: [Full-Disclosure] Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"