Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi all,
I have a case open with TAC but you wonderful people are often faster and fixing things 🙂
I believe my firewall is currently allowing the recent critical Exchange vulnerability through - CVE-2021-26855.
I have the protection set to Prevent, and TAC have confirmed that the protection and IPS policy is all present and correct. When I run a Nessus scan it reports the vulnerability is present, but there isn't even a sniff in the CP logs that it's being detected, let alone prevented. There are plenty of other IPS prevention triggered by the scan, but nothing for CVE-2021-26855.
I've noticed the logs show loads of SMTP "bypass" log entries. Example below showing my Nessus server (out on the Internet) scanning the NAT IP of the mail server. Why is this being bypassed? Could this be anything to do with why IPS is seemingly oblivious to the 'attack'? I have to assume for now that Nessus is correct, and that particular attack would indeed be allowed straight through the firewall and straight past the IPS protection.
Anyone any ideas if it's a (really serious) bug, or my config error?
Rule 34 is ANY > Mail server > SMTP > Allow.
But surely IPS should detect this attack and block it? There's no evidence at the moment that IPS is doing so.
