O-005: Microsoft Exchange Server Vulnerabilities

REVISION HISTORY:
10/17/03 - added link to CERT Advisory CA-2003-27.


[***** Start Microsoft Security Bulletin MS03-046 *****]

Microsoft Security Bulletin MS03-046  

Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)
Issued: October 15, 2003 
Version Number: Version Number: 1.0 

Summary
Who Should Read This Document:  System administrators who have servers 
running Microsoft® Exchange Server

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating:  Critical

Recommendation:  System administrators should apply the security patch to 
Exchange servers immediately

Patch Replacement:  None

Caveats:  None

Tested Software and Patch Download Locations: 

Affected Software: 
Microsoft Exchange Server 5.5, Service Pack 4 
   - Download the patch 
Microsoft Exchange 2000 Server, Service Pack 3 
   - Download the patch 
   
Non Affected Software: 
Microsoft Exchange Server 2003 
The software listed above has been tested to determine if the versions are 
affected. Other versions are no longer supported, and may or may not be 
affected. 


Technical Details
Technical Description:

In Exchange Server 5.5, a security vulnerability exists in the Internet Mail 
Service that could allow an unauthenticated attacker to connect to the SMTP 
port on an Exchange server and issue a specially-crafted extended verb 
request that could allocate a large amount of memory. This could shut 
down the Internet Mail Service or could cause the server to stop responding 
because of a low memory condition.

In Exchange 2000 Server, a security vulnerability exists that could allow 
an unauthenticated attacker to connect to the SMTP port on an Exchange 
server and issue a specially-crafted extended verb request. That request 
could cause a denial of service that is similar to the one that could 
occur on Exchange 5.5. Additionally, if an attacker issues the request 
with carefully chosen data, the attacker could cause a buffer overrun that 
could allow the attacker to run malicious programs of their choice in the 
security context of the SMTP service.

Mitigating Factors: 

Microsoft ISA Server 2000, or third-party products that relay and filter 
SMTP traffic before forwarding it to Exchange, could be used to prevent 
this attack over the Internet. 

Customers who use ISA Server 2000 to publish Exchange SMTP services with 
the default SMTP publishing rules are at reduced risk from this attack 
over the Internet. The Workarounds section below discusses these ISA 
publishing rules. 

Severity Rating:
+++++++++++++++++++++++++++++++++++++++++
Exchange Server 5.5            Important 
+++++++++++++++++++++++++++++++++++++++++
Exchange 2000 Server           Critical 
+++++++++++++++++++++++++++++++++++++++++


The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability Identifier: CAN-2003-0714


Workarounds
Microsoft has tested the following workarounds. These workarounds will not 
correct the underlying vulnerability however they help block known attack 
vectors. Workarounds may cause a reduction in functionality in some cases 
- in such situations this is identified below.

Use SMTP protocol inspection to filter out SMTP protocol extensions. 
There are default ISA publishing rules for Exchange for filtering out any 
SMTP protocol extensions from traffic that passes the firewall. Other 
third-party products may offer similar functionality. More information 

http://support.microsoft.com/default.aspx?scid=kb;en-us;311237.

Only accept authenticated SMTP sessions. 
If practicle, accept only connections from SMTP servers that authenticate 
themselves by using the SMTP AUTH command. 

To require SMTP authentication on an Exchange 2000 server: 

1. Start Exchange System Manager. 
2. Locate the server in the organization tree. 
3. Expand the Protocols container for the server. 
4. Expand the SMTP container. 
5. For each SMTP virtual server: 
    - Open the properties and of the virtual server object. 
    - Click the Access properties page. 
    - Click the Authentication button. 
    - Clear the "Anonymous Access" checkbox. 
    - Click OK to accept the change. 
	
To require SMTP authentication on an Exchange 5.5 server: 

To require authentication for inbound connections: 

1. Click the Connections page. 
2. In the "Accept Connections" Section, mark the radio button for "Only from 
hosts using Authentication." 

Impact of Workaround: Because most of the SMTP servers on the Internet 
only support Anonymous Authentication, inbound sessions from external 
SMTP servers will be affected.

Use a firewall to block the port that SMTP uses. 

Use a firewall to block the port that SMTP uses. Typically, that is port 25. 

Impact of Workaround : 
This workaround should only be used as a last resort 
to help protect you from this vulnerability. This workaround may directly
affect the ability to communicate with external parties by e-mail. 

For additional information about how to help make your Exchange environment 
more secure, visit the Security Resources for Exchange 5.5 and Security 
Resources for Exchange 2000 Web sites.
 
Security Patch Information

 Exchange 2000 Server Service Pack 3
 Exchange Server 5.5 Service Pack 4

Acknowledgments

Microsoft thanks the following for working with us to protect customers: 

Joćo Gouveia for reporting the issue described in MS03-046. 
Obtaining other security patches:

Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be 
most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

Support:

Technical support is available from Microsoft Product Support Services at 
1-866-PCSAFETY. There is no charge for support calls associated with 
security patches. 

Security Resources: 

The Microsoft TechNet Security Web Site provides additional information 
about security in Microsoft products. 

Microsoft Software Update Services: http://www.microsoft.com/sus/ 
Microsoft Baseline Security Analyzer (MBSA) details: 
    http://www.microsoft.com/mbsa. 
Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460for 
list of security patches that have detection limitations with MBSA tool. 
Windows Update Catalog: 
   http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 
Windows Update: http://windowsupdate.microsoft.com 
Office Update: http://office.microsoft.com/officeupdate/ 

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply. 

Revisions:

V1.0 (October 15, 2003): Bulletin published.

[***** End Microsoft Security Bulletin MS03-046 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/