Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Subscribers 29 subscribers
  • Views 9232 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IMAP connections getting blocked by IPS due to dovecot/Pigeon Hole Exploit

GregBuff

Hi

I've got 2 sites that users are complaining of intermittent (at best) connection/retrieval of emails. Checking the logs it is full of IPS blocks due to dovecot/pigeon hole remote code exploits.

The firewall log also has numerous entries of blocks of invalid traffic unable to match packet to connection and invalid TCP RST

Signatures
Detect
  
LAN user
External mail server
2300999
PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability
protocol-imap
Invalid Traffic
Denied
  
8
Port8
  
[LAN user]
[External mail server]
43182
143
TCP
1
01001
Open PCAP
Invalid TCP RST.
 
Invalid Traffic
Denied
  
0
Port8
  
[LAN User]
[External mail server]
43078
143
TCP
0
01001
Open PCAP
Could not associate packet to any connection.

It seems to come down to the default(?) IPS Policy lantowan_general and its single entry Migrate_def_filter_3 which has(amongst others).

PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability
2300999
protocol-imap
1 - Critical
Windows, Linux
Server
Drop packet

 

Interestingly in the IPS log it looks like the server is the victim rather than the clients. The clients range from windows 10, mac os, ipads, iphones.

log_type="IDP"
log_component="Signatures"
log_subtype="Detect"
ips_policy=""
ips_policy_id="0"
fw_rule_id="0"
user=""
sig_id="2300999"
message="PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability"
classification="Unknown"
rule_priority="1"
src_ip="[LAN client]"
src_country="R1"
dst_ip="[Ext mail server]"
dst_country="USA"
protocol="TCP"
src_port="45780"
dst_port="143"
OS="Linux,Windows"
category="protocol-imap"
victim="Server"

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi GregBuff,

    I am seeing the same "attack" but only on my wife's MBP outlook account. The IPS shows the victim as being the client server?.

    • messageid="07001"
    • log_type="IDP"
    • log_component="Signatures"
    • log_subtype="Detect"
    • ips_policy=""
    • ips_policy_id="11"
    • fw_rule_id="12"
    • user="magdalenas-mbp"
    • sig_id="1190508052"
    • message="SERVER-MAIL Dovecot Submission-Login Service NULL Pointer Dereference"
    • classification="Misc Attack"
    • rule_priority="1"
    • src_ip="1.159.35.204"
    • src_country="AUS"
    • dst_ip="203.0.178.192"
    • dst_country="AUS"
    • protocol="TCP"
    • src_port="40420"
    • dst_port="587"
    • OS="Windows"
    • category="server-mail"
    • victim="Client"

     

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian

    That is interesting, glad someone else has similar entries.

    Does your traffic get blocked? These clients end up using mobile data for their phones but eventually the other devices are let through, but it can be days later.

    Cheers

    Greg

  • 0 in reply to rfcat_vk

    I am in the middle of a network overhaul.  I'm moving from my Sophos UTM and some crappy access points to using a new XG and three APX120.  IMAP mail is not working to my personal ISP mail server.  I'm getting the dovecot attack errors.

    The irony is that I am having to use my web browser to read Sophos support emails regarding an issue on one of my APX120 devices.  I cannot use a mail client to read the the replies.

    At this point I'm about to do an exception for it to work my one machine unless I found a solution.

  • 0 in reply to JerryPlagge

    Please let me know how you go.

    I've got an exemption but I feel like it should be fixed rather than ignored.

  • 0 in reply to GregBuff

    Hi,

    found the issue returned on the 19th of May after a long break from the 4th of May. The issue only occurs agains one ISP mail server on my wife's MBP running outlook. The issue does not occur when running macmail.

    Ian

  • 0 in reply to rfcat_vk

    Hi folks,

    some further thoughts, my XG is currently running v18.0.0 354 with hotfix and the issue with IPS issue appears to have started the day I rolled back from v18.0.1 with hotfixes.

    Ian

  • 0 in reply to rfcat_vk

    Yes, I have this issue with my personal ISP.  I use it to host my personal email addresses to avoid all the issues that come with the convenience and price of the "free" email services.

    I'm thinking the exception is the only way this will work at this point.

  • 0 in reply to JerryPlagge

    I found the solution.  I kinda stumbled on it after an hour.

    I was playing with this, using multiple accounts and using two mail clients (thunderbird & the built-in mail client for Win10).  Eventually I hit a certificate error when using the Win10 client.  I clicked the dreaded "continue" button which we tell our users to NEVER do and it worked.

    So, then I simply downloaded the XG Appliance Cert and imported into Thunderbird.  I think this fixed my problem but we'll see.

    Mail is working but I will let you know if the alerts stop.

  • 0 in reply to JerryPlagge

    Hi, 

    well done.

    The reason my issue re-occured is that I don't have mail scanning working at the moment. I am waiting for MR-1 update so I can restore the mail scanning setup.

    Ian

  • 0 in reply to rfcat_vk

    I removed my "suggest as answer".  My problem is back the next day.  Sigh.

    (I turned on my FW rule for bypassing this and my mail flowed just fine.)

  • 0 in reply to JerryPlagge

    Has anyone created a support ticket for this?

  • 0 in reply to JerryPlagge

    I haven't as it got put in the back burner after putting the exception rule in. I do remember having intermittent flow, though it was usually not working unless connected via other means, not via Sophos!

Reply Children
No Data