|
|
|
|
| |
Credit:
The information has been provided by Microsoft Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
|
| |
Vulnerable Systems:
* Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004(870540) - Download the update
* Microsoft Exchange Server 2003 Service Pack 1 Download the update
* Microsoft Exchange Server 2003 Service Pack 2 Download the update
Exchange Calendar Vulnerability - CVE-2006-0027:
A remote code execution vulnerability exists in Microsoft Exchange Server that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
An attacker could exploit the vulnerability by constructing a specially crafted message that could potentially allow remote code execution when an Exchange Server processes an email with certain vCal or iCal properties.
Mitigating Factors for Exchange Calendar Vulnerability - CVE-2006-0027:
There are no known mitigating factors.
Workarounds for Exchange Calendar Vulnerability - CVE-2006-0027:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they will help to block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Require authentication for connections to a server that is running Microsoft Exchange Server for all client and message transport protocols.
Requiring authentication for all connections made to the Exchange Server computer will help protect against anonymous attacks. This will not protect against an attack from a malicious user who can successfully authenticate.
Impact of workaround: Anonymous communication from clients through IMAP, POP3, HTTP, LDAP, SMTP, and NNTP will no longer be possible. Server to server anonymous communication through RPC, X.400, foreign gateway, and third-party connector protocols will also no longer be possible. In default configurations of Exchange Server, authenticated access is required for all protocols except SMTP. If all text/calendar MIME type message parts and the meeting.ics file are blocked, anonymous SMTP connections could still be accepted.
* Block iCal/vCal on Microsoft Exchange Server to help protect against attempts to exploit this vulnerability through SMTP e-mail.
Systems can be configured to block certain types of files from being received as e-mail attachments. Meeting requests, typically used in Outlook, contain a file attachment that stores the meeting information. This file attachment is usually named meeting.ics. Blocking this file, and blocking the calendar MIME type, could help protect Exchange servers and other affected programs from attempts to exploit this vulnerability if customers cannot install the available security update. To help protect an Exchange Server computer from attacks through SMTP, block the .ics files and all text/calendar MIME type content before it reaches the Exchange Server computer.
Note Exchange supports other messaging protocols, such as X.400, that these workarounds do not protect. We recommend that administrators require authentication on all other client and message transport protocols to help prevent attacks using these protocols.
Note Filtering only for attachments that have the file name meeting.ics may not be sufficient to help protect your system. A specially crafted file attachment could be given another file name that could then be processed by the Exchange Server computer. To help protect against specially crafted e-mail messages, block all text/calendar MIME type content.
There are many ways to block the meeting.ics file and other calendar content. Here are some suggestions:
* You can use ISA Server 2000 SMTP Message Screener to block all file attachments or to block only the meeting.ics file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2000 because ISA Server 2000 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 315132.
* You can use ISA Server 2000 SMTP Filter to block all file attachments or to block only the meeting.ics file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2000 because ISA Server 2000 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 320703 .
* You can use ISA Server 2004 SMTP Filter and Message Screener block all file attachments or just the meeting.ics file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2004 because ISA Server 2004 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 888709.
* You can use third-party e-mail filters to block all text/calendar MIME type content before it is sent to the Exchange Server computer or to a vulnerable application.
Impact of workaround: If calendar attachments are blocked, meeting requests will not be received correctly. In some cases, users could receive blank e-mail messages instead of the original meeting request. In other cases, users may not receive meeting requests at all. Perform this workaround only if you cannot install the available security update or if a security update is not publicly available for your configuration
FAQ for Exchange Calendar Vulnerability - CVE-2006-0027:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
EXCDO and CDOEX functionality provided with Exchange server does not properly process certain iCAL and vCAL properties provided in email messages.
What are EXCDO and CDOEX?
Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO) are interfaces that allow for certain types of information to be processed in the Exchange store.
What is vCAL?
Virtual Calendar (vCAL) is a MIME content type used by Microsoft Exchange Server and email clients when sending and exchanging information related to calendars and scheduling.
What is iCAL?
Internet Calendar (iCAL) is a MIME content type used by Microsoft Exchange Server and email clients when sending and exchanging information related to calendars and scheduling.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
An anonymous user who could send a message with specially crafted vCAL or iCAL properties to an Exchange Server could try to exploit this vulnerability.
What systems are primarily at risk from the vulnerability?
Microsoft Exchanger Servers are at risk.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet.
What does the update do?
The update removes the vulnerability by modifying the way Exchange Server processes messages with iCAL or vCAL properties.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
