This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
‎2021-05-13 05:44 AM

IPS Issue CVE-2021-26855?

Hi all,

I have a case open with TAC but you wonderful people are often faster and fixing things 🙂

I believe my firewall is currently allowing the recent critical Exchange vulnerability through - CVE-2021-26855.

I have the protection set to Prevent, and TAC have confirmed that the protection and IPS policy is all present and correct.  When I run a Nessus scan it reports the vulnerability is present, but there isn't even a sniff in the CP logs that it's being detected, let alone prevented.  There are plenty of other IPS prevention triggered by the scan, but nothing for CVE-2021-26855.

I've noticed the logs show loads of SMTP "bypass" log entries.  Example below showing my Nessus server (out on the Internet) scanning the NAT IP of the mail server.  Why is this being bypassed?  Could this be anything to do with why IPS is seemingly oblivious to the 'attack'?  I have to assume for now that Nessus is correct, and that particular attack would indeed be allowed straight through the firewall and straight past the IPS protection. 

Anyone any ideas if it's a (really serious) bug, or my config error?

Rule 34 is  ANY  >  Mail server  >  SMTP  >  Allow.  

But surely IPS should detect this attack and block it?  There's no evidence at the moment that IPS is doing so.

BYPASS2.PNG

0 Kudos
2 Replies
Bob_Zimmerman
Authority
Authority
‎2021-05-13 06:41 AM

Nessus generally doesn't try to actually exploit a given vulnerability. It looks at the service banner (and a few other characteristics) and returns all the vulnerabilities associated with services which return that banner.

To confirm that the IPS signature works in your environment, you would need proof of concept code for the vulnerability. You could then run the PoC with the IPS signature disabled (the PoC should work), then again with the IPS signature set to prevent (the PoC should fail).

Cyber_Serge
Collaborator
‎2021-05-13 11:53 AM

Did you check your https inspection setting?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events