Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MattDunn
Advisor

IPS Issue CVE-2021-26855?

Hi all,

I have a case open with TAC but you wonderful people are often faster and fixing things 🙂

I believe my firewall is currently allowing the recent critical Exchange vulnerability through - CVE-2021-26855.

I have the protection set to Prevent, and TAC have confirmed that the protection and IPS policy is all present and correct.  When I run a Nessus scan it reports the vulnerability is present, but there isn't even a sniff in the CP logs that it's being detected, let alone prevented.  There are plenty of other IPS prevention triggered by the scan, but nothing for CVE-2021-26855.

I've noticed the logs show loads of SMTP "bypass" log entries.  Example below showing my Nessus server (out on the Internet) scanning the NAT IP of the mail server.  Why is this being bypassed?  Could this be anything to do with why IPS is seemingly oblivious to the 'attack'?  I have to assume for now that Nessus is correct, and that particular attack would indeed be allowed straight through the firewall and straight past the IPS protection. 

Anyone any ideas if it's a (really serious) bug, or my config error?

Rule 34 is  ANY  >  Mail server  >  SMTP  >  Allow.  

But surely IPS should detect this attack and block it?  There's no evidence at the moment that IPS is doing so.

BYPASS2.PNG

0 Kudos
2 Replies
Bob_Zimmerman
Advisor

Nessus generally doesn't try to actually exploit a given vulnerability. It looks at the service banner (and a few other characteristics) and returns all the vulnerabilities associated with services which return that banner.

To confirm that the IPS signature works in your environment, you would need proof of concept code for the vulnerability. You could then run the PoC with the IPS signature disabled (the PoC should work), then again with the IPS signature set to prevent (the PoC should fail).

Cyber_Serge
Collaborator

Did you check your https inspection setting?

0 Kudos