SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Microsoft Exchange Vendors:   Microsoft
Microsoft Exchange 2000 Flaw in Processing a Certain Malformed SMTP Command Allows Remote Users to Deny Service to the Server
SecurityTracker Alert ID:  1004407
SecurityTracker URL:  http://securitytracker.com/id/1004407
CVE Reference:   CVE-2002-0368   (Links to External Site)
Date:  May 29 2002
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Exchange 2000
Description:   Microsoft reported a vulnerability in Exchange 2000's processing of malformed SMTP message attributes when receiving mail. A remote user can cause the 'Store' service to consume all available CPU processing resources while processing the message.

According to the report, a remote user must have direct access to the Exchange server's SMTP port to exploit the flaw in the 'Store' service. The Exchange 'Store' service is used to store information contained in user mailboxes and public folders, to process messages, and to deliver messages.

Apparently, the CPU utilization will spike to 100% while the message is processed by the Store service, but returns to normal after the processing has been completed. However, a remote user could repeatedly send malformed messages to deny service to the server.

Microsoft states that there is one RFC 822 SMTP attribute (which they did not disclose) that, when malformed in a particular manner, will trigger the flaw.

Exchange 5.5 is reportedly not affected.

Microsoft has assigned this bug a 'Critical' rating for Internet and Intranet Servers.

Microsoft credits Mr. Allendoerfer (allendoerfer@uni-mainz.de), Mr. Koenig (koenig@uni-mainz.de), Mr. Kraemer (kraemer@uni-mainz.de); Mr. Schaal (schaal@uni-mainz.de), and Mr. Tacke (tacke@uni-mainz.de) of the Computing Center, Johannes Gutenberg University Mainz, Germany for reporting this issue.

Impact:   A remote user with access to the SMTP port can cause the Exchange 2000 server to consume all available CPU resources and can deny service to the server.
Solution:   The vendor has released a patch.

For Microsoft Exchange 2000:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38951

This patch can reportedly be installed on systems running Microsoft Exchange 2000 SP2.

Microsoft plans to include the fix for this bug in Exchange 2000 SP3.

Microsoft also plans to issue Knowledge Base article Q320436 to address this issue. It will be available shortly at the Microsoft Online Support web site:

http://search.support.microsoft.com/kb/c.asp?SD=SO&LN=EN-US

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-025.asp (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Security Bulletin MS02-025: Malformed Mail Attribute can Cause Exchange 2000 to Exhaust CPU Resources (Q320436)


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Malformed Mail Attribute can Cause Exchange 2000 to
            Exhaust CPU Resources (Q320436)
Date:       29 May 2002
Software:   Microsoft Exchange
Impact:     Denial of Service
Max Risk:   Critical
Bulletin:   MS02-025

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-025.asp.
- ----------------------------------------------------------------------

Issue:
======
To support the exchange of mail with heterogeneous systems, 
Exchange messages use the attributes of SMTP mail messages that
are specified by RFC's 821 and 822. There is a flaw in the way
Exchange 2000 handles certain malformed RFC message attributes
on received mail. Upon receiving a message containing such
a malformation, the flaw causes the Store service to consume
100% of the available CPU in processing the message. 

A security vulnerability results because it is possible for an
attacker to seek to exploit this flaw and mount a denial of
service attack. An attacker could attempt to levy an attack
by connecting directly to the Exchange server and passing a
raw, hand-crafted mail message with a specially malformed
attribute. When the message was received and processed by the
Store service, the CPU would spike to 100%. The effects of the
attack would last as long as it took for the Exchange Store
service to process the message. Neither restarting the service
nor rebooting the server would remedy the denial of service.

Mitigating Factors:
====================
 - The effect of an attack via this vulnerability would be
   temporary. Once the server completed processing the
   message, normal operations would resume. However, it
   is not possible to halt the processing of the message
   once begun, even with a reboot. 

 - The vulnerability does not provide any capability to
   compromise data on the server or gain administrative
   control over it. 

 - Mounting a successful attack requires the ability to pass a
   hand-crafted message to the target system, most likely through
   a simulated server-based connection. It is not possible to
   craft a malformed message using an email client such as
   Outlook or Outlook Express.

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-025.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Mr. Allendoerfer (allendoerfer@uni-mainz.de); 
   Mr. Koenig (koenig@uni-mainz.de);
   Mr. Kraemer (kraemer@uni-mainz.de);
   Mr. Schaal (schaal@uni-mainz.de);
   Mr. Tacke (tacke@uni-mainz.de) of the Computing Center,
   Johannes Gutenberg University Mainz, Germany
- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPPUZCI0ZSRQxA/UrAQHOdwgArEHNVboO1OjPt3cRNzxY1P3sgD8ajB0F
mxmy4xbSCcwfMKPdUztFsup8LmzHEYxlYHjo1lS8RiptQEqONHZuhehUlbu8B82u
3ZU0aaQxnORLH9mpBTftTrJIebEog4bPDL+A9DxhSBRnsJvgHBKPYUqyx+6fky0J
h+acANXiCXHvwfcvnOyp3eMCM5kkqGraZ1A6STtJUUItUhTRkHN7VveMu/a4BuT2
vyVLsbHWRlfuBgb4ocjkRN8XUd4bZXXIomSEVn6yyOsJCTVamn4ALGWTI71sQ5EI
0QEPnxhrypkM/ujYxIpo5TGdhmiKyooU9zSrHsEGDUeYC/bLzcah/Q==
=g7N5
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Send an email to unsubscribe to the Service by following these steps: 
a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to process the subscription request,
 and can be anything you like. 
b. Send the e-mail. 
c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK"
 in the message body. (Without the quotes). Send the reply. 
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC