SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Microsoft Exchange Vendors:   Microsoft
(Microsoft Issues Fix) Microsoft Exchange 2003 With Outlook Web Access and Windows SharePoint Services May Grant Incorrect E-mail Account Access to Remote Authenticated Users
SecurityTracker Alert ID:  1008700
SecurityTracker URL:  http://securitytracker.com/id/1008700
CVE Reference:   CVE-2003-0904   (Links to External Site)
Updated:  Jan 15 2004
Original Entry Date:  Jan 13 2004
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2003
Description:   A vulnerability was reported in Microsoft Exchange 2003 when used with Outlook Web Access and Windows SharePoint Services. The system may grant a remote authenticated user access to the wrong e-mail account.

Matthew Johnson reported that a remote authenticated user may be granted full access to a random user's mailbox.

Martin Blackstone noted that Microsoft issued a support article on the topic. Microsoft reports that when Windows SharePoint Services 2.0 is installed on a Windows Server 2003 system that is running Exchange Server 2003, Kerberos authentication on Internet Information Services (IIS) may be disabled. As a result, Outlook Web Access requests may be incorrectly handled, the report said.

Impact:   A remote authenticated user may be granted full access to a random user's mailbox.
Solution:   The vendor has released a fix for Exchange Server 2003, available at:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9542F949-D09B-4199-A837-FBCFC0567676&displaylang=en

Microsoft plans to include this fix in Exchange Server 2003 SP1.

This patch does not require the computer to restart.

The vendor reports that a disruption in OWA and Simple Mail Transfer Protocol (SMTP) mail flow and other Internet Information Services (IIS) applications may occur during the patching process.

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms04-002.asp (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Windows (2003)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 28 2003 Microsoft Exchange 2003 With Outlook Web Access and Windows SharePoint Services May Grant Incorrect E-mail Account Access to Remote Authenticated Users



 Source Message Contents

Subject:  MS04-002


http://www.microsoft.com/technet/security/bulletin/ms04-002.asp

MS04-002

Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)

Microsoft Outlook Web Access for Microsoft Exchange Server 2003

Maximum Severity Rating: Moderate

CVE:  CAN-2003-0904

A vulnerability has been reported in Microsoft Outlook Web Access (OWA) for Microsoft 
Exchange Server 2003 in the reuse of HTTP connections with NTLM authentication.  A remote 
authenticated OWA user may be able to access a target user's mailbox in certain situations.

It is reported that if the target user's mailbox is hosted on the same back-end server as 
the remote authenticated user and if the target user has recently access their mailbox, 
the flaw may occur.  According to the report, the remote user cannot specify or control 
which target user mailbox is accessed.

The flaw may occur when the web server running the Exchange Server 2003 programs on the 
Exchange back-end server has been specifically configured to not use the default Kerberos 
authentication, causing OWA to fall back to using NTLM authentication.  This specific 
configuration may occur when Microsoft Windows SharePoint Services 2.0 is installed on a 
Windows Server 2003 server that also operates as an Exchange Server 2003 back-end.

Only systems that use a front-end server that hosts OWA for Exchange 2003 Server on 
Windows 2000 or Windows Server 2003 in conjunction with a back-end Exchange Server 2003 
that on Windows Server 2003 are affected by this flaw.

The vendor reports that Exchange Server 2000 and 5.5 are not affected.


The vendor has released a fix for Exchange Server 2003, available at:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9542F949-D09B-4199-A837-FBCFC0567676&displaylang=en

Microsoft plans to include this fix in Exchange Server 2003 SP1.

This patch does not require the computer to restart.

The vendor reports that a disruption in OWA and Simple Mail Transfer Protocol (SMTP) mail 
flow and other Internet Information Services (IIS) applications may occur during the 
patching process.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC