SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Microsoft Exchange Vendors:   Microsoft
Microsoft Exchange Server Lets Remote Users Send or Relay Unauthorized Mail (including SPAM) Via the Server
SecurityTracker Alert ID:  1003685
SecurityTracker URL:  http://securitytracker.com/id/1003685
CVE Reference:   CVE-2002-0054   (Links to External Site)
Updated:  Apr 16 2004
Original Entry Date:  Feb 28 2002
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.5
Description:   Microsoft issued a security bulletin (MS02-11) warning of a vulnerability in the Windows 2000 SMTP service and in Exchange Server 5.5. A remote user could relay unauthorized mail via the system.

It is reported that the SMTP service that is part of the Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5, sometimes also also known as the Microsoft Exchange Internet Mail Service, contains a vulnerability in the processing of valid responses from the NTLM authentication layer of the underlying operating system.

The Exchange Server 5.5 IMC, upon receiving notification from the NTLM authentication layer that a user has been authenticated, reportedly fail to perform the required additional checks before granting the user access to the service. In most cases, a remote user that can successfully authenticate to the server can gain access to the SMTP service.

Microsoft reports that Exchange 2000 servers are not affected.

Microsoft has assigned this vulnerability a maximum severity rating of "Low".

Impact:   A remote user that can successfully authenticate to the server can gain access to the SMTP service and, for example, send or relay mail via the server.
Solution:   The vendor has issued a fix. In April 2004, the vendor added a fix for Windows NT 4.0. Shown below is the fix for Exchange, as well the fixes for Windows 2000 and NT 4.0 which are affected by the same vulnerability [a separate Alert has been issued regarding the Windows 2000 and NT 4.0].

Windows 2000 Server, Professional and Advanced Server:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID= 36556

Windows NT Server 4.0:

http://www.microsoft.com/downloads/details.aspx?FamilyId=457C0C18-8C3E-4923-B395-614C117F13C5&displaylang=en

Exchange Server 5.5:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33423

Windows 2000 Datacenter Server:

Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer, the vendor said.

The Windows 2000 patch can be installed on Windows 2000 SP1, the Windows NT Server 4.0 patch can be installed on Windows NT Server 4.0 SP6a, and the Exchange Server 5.5 patch can be installed on Exchange Server 5.5 SP4.

This fix will be included in Windows 2000 SP3.

A reboot is required after installing this patch.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-011.asp (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Alert:Microsoft Security Bulletin - MS02-011


http://www.microsoft.com/technet/security/bulletin/MS02-011.asp

Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service

Originally posted: February 27, 2002

Summary


Impact of vulnerability: Mail relaying.

Maximum Severity Rating: Low

Recommendation: Customers who need the Windows 2000 SMTP services should apply the Windows patch; all others should disable the SMTP
 service.  Customers using the Exchange Server 5.5 IMC should apply the Exchange Server 5.5 IMC patch.

Affected Software: 
- Microsoft Windows 2000 
- Microsoft Exchange Server 5.5

Technical description: 

An SMTP service installs by default as part of Windows 2000 server products and as part of the Internet Mail Connector (IMC) for Microsoft
 Exchange Server 5.5.  (The IMC, also known as the Microsoft Exchange Internet Mail Service, provides access and message exchange
 to and from any system that uses SMTP).  A vulnerability results in both services because of a flaw in the way they handle a valid
 response from the NTLM authentication layer of the underlying operating system.

By design, the Windows 2000 SMTP service and the Exchange Server 5.5 IMC, upon receiving notification from the NTLM authentication
 layer that a user has been authenticated, should perform additional checks before granting the user access to the service.  The vulnerability
 results because the affected services don't perform this additional checking correctly.  In some cases, this could result in the
 SMTP service granting access to a user solely on the basis of their ability to successfully authenticate to the server.

An attacker who exploited the vulnerability could gain only user-level privileges on the SMTP service, thereby enabling the attacker
 to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying
 via the server. 

Mitigating factors:
- Exchange 2000 servers are not affected by the vulnerability because they correctly handle the authentication process to the SMTP
 service. 
- The vulnerability would not enable the attacker to read other users' email, nor to send mail as other users.
- Best practices recommend disabling unneeded services. If the SMTP service has been disabled, the mail relaying vulnerability could
 not be exploited.
- The vulnerability would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs
 or operating system commands.

Vulnerability identifier: CAN-2002-0054



This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been
 a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC