Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Subscribers 29 subscribers
  • Views 9250 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IMAP connections getting blocked by IPS due to dovecot/Pigeon Hole Exploit

GregBuff

Hi

I've got 2 sites that users are complaining of intermittent (at best) connection/retrieval of emails. Checking the logs it is full of IPS blocks due to dovecot/pigeon hole remote code exploits.

The firewall log also has numerous entries of blocks of invalid traffic unable to match packet to connection and invalid TCP RST

Signatures
Detect
  
LAN user
External mail server
2300999
PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability
protocol-imap
Invalid Traffic
Denied
  
8
Port8
  
[LAN user]
[External mail server]
43182
143
TCP
1
01001
Open PCAP
Invalid TCP RST.
 
Invalid Traffic
Denied
  
0
Port8
  
[LAN User]
[External mail server]
43078
143
TCP
0
01001
Open PCAP
Could not associate packet to any connection.

It seems to come down to the default(?) IPS Policy lantowan_general and its single entry Migrate_def_filter_3 which has(amongst others).

PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability
2300999
protocol-imap
1 - Critical
Windows, Linux
Server
Drop packet

 

Interestingly in the IPS log it looks like the server is the victim rather than the clients. The clients range from windows 10, mac os, ipads, iphones.

log_type="IDP"
log_component="Signatures"
log_subtype="Detect"
ips_policy=""
ips_policy_id="0"
fw_rule_id="0"
user=""
sig_id="2300999"
message="PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability"
classification="Unknown"
rule_priority="1"
src_ip="[LAN client]"
src_country="R1"
dst_ip="[Ext mail server]"
dst_country="USA"
protocol="TCP"
src_port="45780"
dst_port="143"
OS="Linux,Windows"
category="protocol-imap"
victim="Server"

 



This thread was automatically locked due to age.
  • 0

    Hi GregBuff,

    I am seeing the same "attack" but only on my wife's MBP outlook account. The IPS shows the victim as being the client server?.

    • messageid="07001"
    • log_type="IDP"
    • log_component="Signatures"
    • log_subtype="Detect"
    • ips_policy=""
    • ips_policy_id="11"
    • fw_rule_id="12"
    • user="magdalenas-mbp"
    • sig_id="1190508052"
    • message="SERVER-MAIL Dovecot Submission-Login Service NULL Pointer Dereference"
    • classification="Misc Attack"
    • rule_priority="1"
    • src_ip="1.159.35.204"
    • src_country="AUS"
    • dst_ip="203.0.178.192"
    • dst_country="AUS"
    • protocol="TCP"
    • src_port="40420"
    • dst_port="587"
    • OS="Windows"
    • category="server-mail"
    • victim="Client"

     

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian

    That is interesting, glad someone else has similar entries.

    Does your traffic get blocked? These clients end up using mobile data for their phones but eventually the other devices are let through, but it can be days later.

    Cheers

    Greg

  • 0 in reply to GregBuff

    Hi Greg,

    I haven't seen any log entries since the 4th May my time. 

    Something has gone wrong with the XG auto-updates of patterns. I had to force a manual update (0800 appprox) and only received a new IPS (dated 0345), the anti-virus have not updated since yesterday afternoon.

    At the moment my MBP is having a very hard time with mail connections and showing strange ports, though the iPad and iPhone appear to be working okay.

    My wife's outlook account is stuck on sync pending, but nothin in the XG logs.

    I am also seeing a very high IPS count in the GUI, abut again nothing in the logs.

    My mail is now working okay, not sure what is going on?

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian

    My patterns are up to date and just did a manual check and no change.

    Pattern
    Current version
    Available version
    Last successful update
    Status
    AP Firmware
    11.0.012
    -
    13:20:07, Apr 26 2020
    Success
    ATP
    1.0.0295
    -
    21:30:10, Apr 30 2020
    Success
    Avira AV
    1.0.407368
    -
    21:30:30, May 04 2020
    Success
    Authentication Clients
    1.0.0019
    -
    18:35:34, Dec 21 2019
    Success
    IPS and Application signatures
    9.17.05
    -
    12:37:43, May 01 2020
    Success
    Sophos Connect Clients
    1.4.001
    -
    18:36:07, Dec 21 2019
    Success
    RED Firmware
    3.0.000
    -
    21:32:53, Apr 26 2020
    Success
    Sophos AV
    1.0.15555
    -
    21:30:51, May 04 2020
    Success
    SSLVPN Clients
    1.0.007
    -
    18:36:08, Dec 21 2019
    Success
    WAF
    1.0.0006
    -
    18:36:10, Dec 21 2019
    Success

    Where do you get those versions? They seem very different to mine.

    Do your iPad/iPhone switch to mobile data if unable to connect via wifi?

    When I log into Central the are hundreds of imap attacks, all against the mail server. Numbers vary between devices, obviously some are used more than others and must therefore retry more often.

    My current work around is a firewall rule above my normal LAN>WAN rule that allows any zone, any net to any zone, any net, with only email services (manually configured entry with the usual ports) and IPS is not selected, or any other feature for that matter.

    I picked this up (and whitelisted/bypassed) pretty early at one site but hadnt had any complaints at the second site - slow and late must have been good enough! It was only when I was extending the wifi with some APX120s that it was mentioned amongst the connectivity issues.

  • 0 in reply to GregBuff

    Hi Greg,

    here is my version taken a couple of minutes ago.

    The interesting thing about this is the iPad which uses the same firewall rule as the MBPs did not have an issue. I eventually was able to ge try wife's outlook working after having to force quit and then restarted without any further errors. 

    I have not seen any entries in the IPS log since the 4th May. My IPS count is still growing and I have no idea why?

    Ian

  • 0 in reply to rfcat_vk

    Hi Greg,

    after the IPS update the strange port translations stopped, not just  on mail but other non Apple devices.

    Still no AV updates.

    Ian

  • 0 in reply to rfcat_vk

    I am in the middle of a network overhaul.  I'm moving from my Sophos UTM and some crappy access points to using a new XG and three APX120.  IMAP mail is not working to my personal ISP mail server.  I'm getting the dovecot attack errors.

    The irony is that I am having to use my web browser to read Sophos support emails regarding an issue on one of my APX120 devices.  I cannot use a mail client to read the the replies.

    At this point I'm about to do an exception for it to work my one machine unless I found a solution.

  • 0 in reply to JerryPlagge

    Please let me know how you go.

    I've got an exemption but I feel like it should be fixed rather than ignored.

  • 0 in reply to GregBuff

    Hi,

    found the issue returned on the 19th of May after a long break from the 4th of May. The issue only occurs agains one ISP mail server on my wife's MBP running outlook. The issue does not occur when running macmail.

    Ian

  • 0 in reply to rfcat_vk

    Hi folks,

    some further thoughts, my XG is currently running v18.0.0 354 with hotfix and the issue with IPS issue appears to have started the day I rolled back from v18.0.1 with hotfixes.

    Ian