__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability [Microsoft Security Bulletin MS03-047] October 16, 2003 14:00 GMT Number O-010 [REVISED 17 Oct 2003] ______________________________________________________________________________ PROBLEM: A cross-site scripting (XSS) vulnerability has been identified due to the way that Outlook Web Access (OWA) performs HTML encoding in the Compose New Message form. SOFTWARE: Microsoft Exchange Server 5.5, Service Pack 4 DAMAGE: An attacker could cause arbitrary code to run during another user's Web session. The code could take any action on the user's computer that the Web site is authorized to take; this could include monitoring the Web session and forwarding information to a third party, running other code on the user's system and reading or writing cookies. The code could be written to be persistent, so that if the user returned to the Web site again, the code would run again. SOLUTION: Apply appropriate patches or implement workarounds. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. This vulnerability cannot be "injected" ASSESSMENT: into a Web session; it can only be exploited if the user clicks a hyperlink that an attacker provides. An attacker would have to know the name of a user's Exchange server and then entice the user to open a specially-formed link from some other source while the user is logged on to OWA. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-010.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/MS03-047.asp CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0712 ADDITIONAL LINKS: CERT Advisory CA-2003-27 http://www.cert.org/advisories/CA-2003-27.html ______________________________________________________________________________ REVISION HISTORY: 10/17/03 - added link to CERT Advisory CA-2003-27. [***** Start Microsoft Security Bulletin MS03-047 *****] Microsoft Security Bulletin MS03-047 Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489) Issued: October 15, 2003 Version Number: 1.0 Summary Who Should Read This Document: System administrators who have servers running Microsoft® Exchange Server 5.5 Outlook® Web Access Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Moderate Recommendation: System administrators should install this security patch on their servers running Outlook Web Access 5.5 Patch Replacement: None Caveats: Customers who have customized any of the ASP pages in the File Information section in this document should backup those files before applying this patch as they will be overwritten when the patch is applied. Any customizations would then need to be reapplied to the new ASP pages. Tested Software and Patch Download Locations: Affected Software: * Microsoft Exchange Server 5.5, Service Pack 4 - Download the patch Non Affected Software: * Microsoft Exchange 2000 Server * Microsoft Exchange Server 2003 The software listed above has been tested to determine if the above versions are affected. Other versions are no longer supported, and may or may not be affected. Technical Details Technical Description: A cross-site scripting (XSS) vulnerability results due to the way that Outlook Web Access (OWA) performs HTML encoding in the Compose New Message form. An attacker could seek to exploit this vulnerability by having a user run script on the attacker's behalf. The script would execute in the security context of the user. If the script executes in the security context of the user, the attacker's code could then execute by using the security settings of the OWA Web site (or of a Web site that is hosted on the same server as the OWA Web site) and could enable the attacker to access any data belonging to the site where the user has access. To exploit this vulnerability through OWA, an attacker would have to send an e-mail message that has a specially-formed link to the user. The user would then have to click the link. To exploit this vulnerability in another way, an attacker would have to know the name of the user's Exchange server and then entice the user to open a specially-formed link from another source while the user is logged on to OWA. Note: Customers who have customized any of the ASP pages in the File Information section in this document should backup those files before applying this patch as they will be overwritten when the patch is applied. Any customizations would then need to be reapplied to the new ASP pages. Please refer to the Microsoft Support Policy for the Customization of Outlook Web Access available at http://support.microsoft.com/default.aspx?scid=kb;en-us;327178 Mitigating factors: * To be affected, the user would have to be logged onto OWA, be enticed to log on to OWA, or use another Web application on the same server as OWA. Generally, a server that runs Exchange Server 5.5 Outlook Web Access does not run other Web applications for reasons of performance, scalability, and security. * To exploit this vulnerability through OWA, an attacker would have to send an e-mail message that has a specially-formed link to a user. The user would then have to click the link. * In the Web-based attack vector, an attacker would have to know the name of a user's Exchange server and then entice the user to open a specially-formed link from some other source while the user is logged on to OWA. Severity Rating: ******************************************************* Exchange Server 5.5 Outlook Web Access Moderate ******************************************************* The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0712 Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases – in such situations this is identified below. * Disable Outlook Web Access for each Exchange site Outlook Web Access can be disabled by following these steps. These steps need to be performed on each Exchange site. 1. Start Exchange Administrator 2. Expand the Configuration container for the site. 3. Select the Protocols container for the site. 4. Open the properties of the HTTP (Web) Site Settings object 5. Clear the "Enable Protocol" checkbox. 6. Wait for the change to replicate, and then verify that this change has replicated to each server in the site. To do this, bind to each server in the site with Exchange Administrator and view the setting. Impact of Workaround: Users will have no access to their mailboxes via Outlook Web Access. * Uninstall Outlook Web Access. Uninstall Outlook Web Access. For steps on how to do this please refer to the Knowledge Base Article "How to Completely Remove and Re-Install OWA" available at http://support. microsoft.com/default.aspx?scid=kb;en-us;290287 Impact of Workaround: Users will have no access to their mailboxes via Outlook Web Access. For additional information about how to help make your Exchange environment more secure, visit the Security Resources for Exchange 5.5 Web site. Security Patch Information For information about the specific security patch for your platform, click the appropriate link: * Exchange Server 5.5 SP4 Acknowledgments Microsoft thanks the following for working with us to protect customers: * Ory Segal of Sanctum Inc. for reporting the issue described in MS03-047. Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site Support: * Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches. Security Resources: * The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. * Microsoft Software Update Services: http://www.microsoft.com/sus/ * Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool. * Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 * Windows Update: http://windowsupdate.microsoft.com * Office Update: http://office.microsoft.com/officeupdate/ Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 (October 15, 2003): Bulletin published. [***** End Microsoft Security Bulletin MS03-047 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely O-002: Microsoft Internet Explorer Cumulative Patch O-003: HP Potential Security Vulnerability in dtprintinfo O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution O-005: Microsoft Exchange Server Vulnerabilities O-006: Microsoft Authenticode Verification Vulnerability O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities