__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Exchange Server Vulnerabilities [Microsoft Security Bulletin MS03-046] October 15, 2003 22:00 GMT Number O-005 [REVISED 17 Oct 2003] ______________________________________________________________________________ PROBLEM: Buffer overrun and denial of service vulnerabilities have been identified on two versions of Microsoft's Exchange Servers. SOFTWARE: Microsoft Exchange 2000 Server, Service Pack 3 Microsoft Exchange Server 5.5, Service Pack 4 DAMAGE: Exchange 2000 Server A remote attacker could run arbitrary code of their choice on the affected system in the security context of the Local System account or exhaust large amounts of memory causing a denial of service. Exchange Server 5.5 A remote attacker could exhaust large amounts of memory on the server causing a denial of service. SOLUTION: Apply appropriate patches or implement workarounds. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker could run code of their ASSESSMENT: choice with system privileges (Exchange Server 2000 only). ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-005.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/bulletin/MS03-046.asp CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0714 ADDITIONAL LINKS: CERT Advisory CA-2003-27 http://www.cert.org/advisories/CA-2003-27.html ______________________________________________________________________________ REVISION HISTORY: 10/17/03 - added link to CERT Advisory CA-2003-27. [***** Start Microsoft Security Bulletin MS03-046 *****] Microsoft Security Bulletin MS03-046 Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436) Issued: October 15, 2003 Version Number: Version Number: 1.0 Summary Who Should Read This Document: System administrators who have servers running Microsoft® Exchange Server Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: System administrators should apply the security patch to Exchange servers immediately Patch Replacement: None Caveats: None Tested Software and Patch Download Locations: Affected Software: Microsoft Exchange Server 5.5, Service Pack 4 - Download the patch Microsoft Exchange 2000 Server, Service Pack 3 - Download the patch Non Affected Software: Microsoft Exchange Server 2003 The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected. Technical Details Technical Description: In Exchange Server 5.5, a security vulnerability exists in the Internet Mail Service that could allow an unauthenticated attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted extended verb request that could allocate a large amount of memory. This could shut down the Internet Mail Service or could cause the server to stop responding because of a low memory condition. In Exchange 2000 Server, a security vulnerability exists that could allow an unauthenticated attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted extended verb request. That request could cause a denial of service that is similar to the one that could occur on Exchange 5.5. Additionally, if an attacker issues the request with carefully chosen data, the attacker could cause a buffer overrun that could allow the attacker to run malicious programs of their choice in the security context of the SMTP service. Mitigating Factors: Microsoft ISA Server 2000, or third-party products that relay and filter SMTP traffic before forwarding it to Exchange, could be used to prevent this attack over the Internet. Customers who use ISA Server 2000 to publish Exchange SMTP services with the default SMTP publishing rules are at reduced risk from this attack over the Internet. The Workarounds section below discusses these ISA publishing rules. Severity Rating: Exchange Server 5.5 Important Exchange 2000 Server Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability Identifier: CAN-2003-0714 Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below. Use SMTP protocol inspection to filter out SMTP protocol extensions. There are default ISA publishing rules for Exchange for filtering out any SMTP protocol extensions from traffic that passes the firewall. Other third-party products may offer similar functionality. More information http://support.microsoft.com/default.aspx?scid=kb;en-us;311237. Only accept authenticated SMTP sessions. If practicle, accept only connections from SMTP servers that authenticate themselves by using the SMTP AUTH command. To require SMTP authentication on an Exchange 2000 server: Start Exchange System Manager. Locate the server in the organization tree. Expand the Protocols container for the server. Expand the SMTP container. For each SMTP virtual server: Open the properties and of the virtual server object. Click the Access properties page. Click the Authentication button. Clear the "Anonymous Access" checkbox. Click OK to accept the change. To require SMTP authentication on an Exchange 5.5 server: To require authentication for inbound connections: Click the Connections page. In the "Accept Connections" Section, mark the radio button for "Only from hosts using Authentication." Impact of Workaround: Because most of the SMTP servers on the Internet only support Anonymous Authentication, inbound sessions from external SMTP servers will be affected. Use a firewall to block the port that SMTP uses. Use a firewall to block the port that SMTP uses. Typically, that is port 25. Impact of Workaround : This workaround should only be used as a last resort to help protect you from this vulnerability. This workaround may directly affect the ability to communicate with external parties by e-mail. For additional information about how to help make your Exchange environment more secure, visit the Security Resources for Exchange 5.5 and Security Resources for Exchange 2000 Web sites. Security Patch Information Exchange 2000 Server Service Pack 3 Exchange Server 5.5 Service Pack 4 Acknowledgments Microsoft thanks the following for working with us to protect customers: Joćo Gouveia for reporting the issue described in MS03-046. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site Support: Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Microsoft Software Update Services: http://www.microsoft.com/sus/ Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool. Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/officeupdate/ Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (October 15, 2003): Bulletin published. [***** End Microsoft Security Bulletin MS03-046 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corp. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-155: Red Hat Updated Perl packages fix security issues N-156: ProFTPD ASCII File Remote Compromise Vulnerability N-157: CERT/CC Vulnerability Note OpenSSH PAM challenge authentication failure N-158: CERT/CC Vulnerability Note Portable OpenSSH server PAM N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely O-002: Microsoft Internet Explorer Cumulative Patch O-003: HP Potential Security Vulnerability in dtprintinfo O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution