|
|
|
|
| |
| Microsoft has released a patch that eliminates a security vulnerability in Microsoft Exchange 2000 Server and Exchange 2000 Enterprise Server. This vulnerability could allow an unauthorized user to remotely login to an Exchange 2000 server and possibly other servers on the affected computer's network. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected Software Versions
- Microsoft Exchange 2000 Server CDs without "Rev. A" stamped on the CD on the line below the Part No.
- Microsoft Exchange 2000 Enterprise Server CDs without "Rev. A" stamped on the CD below the Part No.
Note: This also applies to evaluation editions and to Microsoft Exchange 2000 Server and Microsoft Exchange 2000 Enterprise Server included on the October 2000 Select CDs.
In early shipments of Exchange 2000, setup creates an account with a known username and password. If a malicious user learned the username and password, he or she could log onto the account. Under normal circumstances, this account only has local user rights - it is not a privileged account and cannot access Exchange 2000 data. However, if Exchange 2000 were installed on a Domain Controller, the account would also have Domain user privileges, and could thus gain access to other resources in the affected Domain. Nevertheless, he would still be restricted from accessing Exchange 2000 data.
To eliminate the security vulnerability, Microsoft has provided a manual procedure, discussed in the FAQ, and a tool to protect our customers. Microsoft also recommends that customers affected by this vulnerability disable or delete this account after setup completes. In addition, Exchange 2000 SP1 will contain a fix that removes this vulnerability.
Patch Availability:
- The Tool can be downloaded from:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25866
What's the scope of the vulnerability?
This vulnerability could enable a malicious user to log onto an Exchange 2000 Server via a user account created during setup. The specific capabilities the malicious user would gain access to would depend on the type of Windows 2000 Server on which Exchange is installed. If Exchange has been installed on a member server, the malicious user would only gain user privileges on that machine. He or she could take a variety of actions, including loading and running code of their choice on the specific server that has been compromised. If Exchange has been installed on a domain controller, the malicious user would gain domain user privileges. This would enable them to access other network resources and potentially cause further damage.
Best practices strongly recommend against installing Exchange - or any other applications - on a domain controller. Customers who have followed this recommendation would be at significantly less risk from this vulnerability. Regardless of whether Exchange is installed on a member server or domain controller, the user account at issue is an unprivileged one, and does not have access to Exchange 2000 data or the ability to perform administrative actions. Nevertheless, even these user privileges on a server can enable a malicious user to cause significant damage, and could provide a beachhead from which to launch additional attacks.
What causes the vulnerability?
The vulnerability results because a user account is created during setup of Exchange 2000 with a known username and password.
What account is created, and what purpose does it serve?
The user account EUSR_EXSTOREEVENT was created to facilitate the processing of workflow and other event scripts. Exchange 2000 supports running these scripts under the Windows system account, and as a result, this account is no longer required.
If the account isn't required, why was it created?
This type of user account was used in previous versions of Exchange. The account did not pose a security risk in those versions because it did not use a known username or password. This account was included in Exchange 2000 during the beta program while the current method of handling workflow and event scripts was developed. It was intended to be removed from the final shipping product; however, due to a production error, it was not actually removed from some early shipments.
Does this vulnerability affect Exchange 5.5?
No. This account only exists under Exchange 2000.
Is the EUSR_EXSTOREEVENT account highly privileged?
No. It has privileges that match those of a normal user. It does not have administrative privileges of any kind, nor any access to Exchange data.
Is EUSR_EXSTOREEVENT a local or domain account?
It's a local account. This means that in the vast majority of cases, it has no privileges whatsoever on the domain. However, there is one exception to this. If Exchange is installed on a domain controller, the account would be a domain account - because, by definition, all local accounts on domain controllers are in fact domain accounts.
How could a malicious user gain access to the account?
If the malicious user learned the username and password, she could simply login remotely to an Exchange Server.
Why can't I just disable the account?
You can. In fact, as discussed below, that's one simple way to eliminate the vulnerability.
Suppose Exchange was installed on a member server. What could the malicious user do if he exploited this vulnerability?
It's easier to start with what the malicious user could not do. The EUSR_EXSTOREEVENT account does not have administrative privileges, so the malicious user could not run tools or access files that are restricted to administrators. For instance, he or she could not change the security configuration of the machine, create new users on the machine or read Exchange 2000 data.
However, he or she could access any file that granted read, write or execute permissions to normal users, and could execute many operating system commands. Most importantly, he or she could load additional software onto the machine and run it, in an effort to gain additional privileges via other vulnerabilities.
Suppose Exchange was installed on a domain controller. What could the malicious user do if he exploited this vulnerability?
The malicious user's privileges would remain the same, except that he or she would now be a domain user rather than a local user. This means that he or she could access any resources, within a domain, that gave rights to members of the Domain Users group.
How common is it for Exchange to be deployed on a domain controller?
Microsoft recommends that a Domain Controller only be used to validate login requests. Other applications or services should be installed on member servers, however, we do understand that certain customers, particularly small to medium sized businesses, may run Exchange 2000 on a domain controller. As a result, we are providing the procedures and tool to cover all deployment scenarios.
Will a fix be included in Service Pack 1 for Exchange 2000?
Yes. A fix will be included in SP1 for Exchange 2000 and customers who deploy Exchange 2000 with SP1 will not need to use the procedure or tool in this bulletin.
How do I identify if my copy of Exchange 2000 is affected?
Use this to determine whether you have an affected version:
Existing Installations
Check for the existence of the EUSR_EXSTOREEVENT account. If it exists, take the appropriate action documented in this bulletin and KB article.
New Installations
The following Exchange 2000 installation media are affected by this vulnerability:
* Exchange 2000 Server CDs without "Rev A" printed on the CD on the line below the Part No. (see upper right quadrant)
* Exchange 2000 Enterprise Server CDs without "Rev A" printed on the CD below the Part No. (see upper right quadrant)
* Exchange 2000 Server and Exchange 2000 Enterprise Server included with the October 2000 Select CD shipment
For any Exchange 2000 evaluation edition and as another method to test for this vulnerability -- please use the filever.exe tool, available with Exchange 2000, to check the version of exsetdata.dll. If the version is equal to 6.0.4417.5, then you are affected by the vulnerability.
Example of filever.exe usage:
<CD drive>\SUPPORT\UTILS\I386>filever \setup\i386\exsetdata.dll
If the resulting output contains the following version number (see bolded text below), then you are affected by this vulnerability.
-r--- W32i DLL ENU 6.0.4417.5 shp 2,507,024 08-16-2000 exsetdata.dll
I know I'm affected what does the tool do?
The tool will search for the existence of the EUSR_EXSTOREEVENT account and delete it. The tool MUST be run on all Exchange 2000 machines from a Windows 2000 Administrator account.
What is the manual procedure?
Customers with Exchange 2000 currently installed:
* Delete the EUSR_EXSTOREEVENT account (OR) if in use
* Change the password
Customers who have not deployed Exchange 2000:
* Prior to installation manually create and disable EUSR_EXSTOREEVENT (AND)
* Delete the account after setup is completed
Where can I get the tool?
The download location for the tool is provided in the "Patch Availability" section of the security bulletin .
How do I use the tool?
Knowledge Base article Q278523 contains detailed instructions for applying the workaround or running the tool.
How can I tell if I ran the tool or followed the procedure correctly?
Knowledge Base article Q278523 provides details about the manual procedure and how to run the tool.
|
|
|
|
|
|
|
