|
|
|
|
| |
| A remote code execution vulnerability exists in Microsoft Exchange Server that that could allow an attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted command that could result in a denial of service or allow an attacker to run malicious programs of their choice in the security context of the SMTP service. |
| |
Credit:
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS05-021.mspx
|
| |
Affected Software:
* Microsoft Exchange 2000 Server Service Pack 3 - Download the update
* Microsoft Exchange Server 2003 - Download the update
* Microsoft Exchange Server 2003 Service Pack 1 - Download the update
Non-Affected Software:
* Microsoft Exchange Server 5.5 Service Pack 4
* Microsoft Exchange Server 5.0 Service Pack 2
CVE Information:
Exchange Server Vulnerability - CAN-2005-0560
Mitigating Factors for Exchange Server Vulnerability - CAN-2005-0560:
Exchange Server 2003 will not process commands of this type that originate from unauthenticated users. The level of authentication required to exploit this vulnerability is typically only granted to other Exchange Servers within the same organization.
Microsoft ISA Server 2000, or third-party products that relay and filter SMTP traffic before forwarding it to Exchange, could be used to prevent an attack over the Internet. Detailed instructions on how to help protect against an attack using ISA Server can be found at the ISA Server Preventative Measures Web site by following the link Help Protect against Exchange Server vulnerability described in MS05-021 .
Customers who use ISA Server 2000 or ISA Server 2004 to publish Exchange SMTP services with the default SMTP publishing rules are at reduced risk from this attack over the Internet. The Workarounds section below discusses these ISA publishing rules.
Workarounds for Exchange Server Vulnerability - CAN-2005-0560:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Use SMTP protocol inspection to filter out SMTP protocol extensions.
There are default ISA publishing rules for Exchange for filtering out any SMTP protocol extensions from traffic that passes the firewall. Other third-party products may offer similar functionality. More information on how to publish an Exchange server computer with ISA Server can be found by visiting the Microsoft Knowledge Base Article 311237.
Only accept authenticated SMTP sessions.
If practical, accept only authenticated connections. Accepting connections only from trusted sources will prevent anonymous attackers from being able to exploit this issue.
To require SMTP authentication on an Exchange 2000 server:
1. Start Exchange System Manager.
2. Locate the server in the organization tree.
3. Expand the Protocols container for the server.
4. Expand the SMTP container.
5. For each SMTP virtual server:
* Open the properties and of the virtual server object.
* Click the Access properties page.
* Click the Authentication button.
* Clear the "Anonymous Access" checkbox.
* Click OK to accept the change.
Impact of Workaround:
Typically, inbound SMTP mail is accepted without requiring authentication from the sender. If you implement this workaround, you will be able to receive email only from senders who have been granted appropriate permissions in your system.
NOTE: This workaround does not prevent a malicious authenticated user from exploiting this vulnerability. But it does protect you against attack by anonymous users.
Use a firewall to block the port that SMTP uses.
Use a firewall to block the port that SMTP uses. Typically, that is port 25.
Impact of Workaround:
This workaround should only be used as a last resort to help protect you from this vulnerability. This workaround may directly affect the ability to communicate with external parties by e-mail.
Unregister xlsasink.dll and fallback to Active Directory for distribution of route information.
1. In the exchange installation s bin directory, run regsvr32 /u xlsasink.dll.
2. If the default one hour interval for the Exchange servers to update routing information from AD is sufficient, you may skip to step 8. Otherwise continue with the following instructions, taken from the More Information section in Microsoft Knowledge Base Article 842026
3. Run regedit.
4. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RESvc\Parameters
5. Edit the ReloadOsInterval value. If it doesn t exist, create a new DWORD with that name.
6. Type in the number of seconds that the AD route information refresh interval should be. By default this is 3600.
7. Click Ok and close regedit
8. Restart the Exchange server
Impact of Workaround:
Exchange Servers won't use SMTP to proactively update routing information. If changes to the mail infrastructure are made, the Exchange Servers won't know about the new configuration until they refresh routing information from the Active Directory. This could result in a temporary interruption of mail services if the refresh interval is configured too large.
Frequently asked questions (FAQ):
What updates does this release replace?
MS04-035 Exchange 2000 Server (Replaced) Exchange Server 2003 (Not Replaced)
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.
What causes the vulnerability?
An unchecked buffer in the SMTP service.
What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivering e-mail over the Internet, as defined in RFC 2821 and in RFC 2822. The protocol defines the format of e-mail messages, the fields that are in e-mail messages, the contents of e-mail messages, and the handling procedures for e-mail messages.
What are SMTP extended verbs?
SMTP extended verbs are defined by the extension model that is defined in RFC 2821. They allow addition of new functionality to the SMTP protocol. Microsoft Exchange uses one such extended verb to communicate routing and other Exchange-specific information among Exchange servers in an Exchange environment.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
On Exchange 2000, any anonymous user who could connect to an SMTP port on the Exchange Server and issue a specially crafted extended verb request.
On Exchange 2003, the level of authentication required to exploit this vulnerability is typically only granted to other Exchange Servers within the same organization. In this case, the attacker would have to connect to an SMTP port on the Exchange Server with the authority of another Exchange Server within the same organization and issue and issue a specially crafted extended verb request.
How could an attacker exploit the vulnerability?
An unauthenticated attacker could seek to exploit this vulnerability by connecting to an SMTP port on the Exchange 2000 server and by issuing a specially-crafted extended verb request. This could allow an attacker to take any action on the system in the security context of the SMTP service. By default, the SMTP service runs as Local System.
For Exchange 2003, an attacker who could authenticate as an account in Exchange Enterprise Servers or Exchange Domain Servers groups could exploit this vulnerability.
Because Exchange 2000 Server uses the Windows 2000 SMTP service, does the vulnerability affect the SMTP service in Windows 2000?
No. The vulnerability does not affect the Microsoft SMTP service on systems that are running Windows 2000 that do not have Exchange 2000 Server installed.
The vulnerability also does not affect the Microsoft SMTP services that can be installed on Windows NT Server 4.0 or on Windows XP.
Can this be exploited directly by using e-mail?
No. This vulnerability could not be exploited by sending a specially-crafted e-mail message to a mailbox that is hosted on an Exchange server. An attacker would have to connect directly to the SMTP port on an Exchange server.
What does the update do?
The update removes the vulnerability by modifying the way that the SMTP Service validates the length of a message before it passes the message to the allocated buffer.
Additionally, the update for Exchange 2000 adds authentication requirements similar to those already present in Exchange 2003.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
|
|
|
|
|
