-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Authentication Flaw Could Allow Unauthorized Users To
Authenticate To SMTP Service
Date: 27 February 2002
Software: Microsoft Windows 2000; Microsoft Exchange Server 5.5
Impact: Mail Relaying
Max Risk: Low
Bulletin: MS02-011
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-011.asp.
- ----------------------------------------------------------------------
Issue:
======
An SMTP service installs by default as part of Windows 2000 server
products and as part of the Internet Mail Connector (IMC) for
Microsoft Exchange Server 5.5. (The IMC, also known as the
Microsoft Exchange Internet Mail Service, provides access and
message exchange to and from any system that uses SMTP). A
vulnerability results in both services because of a flaw in the
way they handle a valid response from the NTLM authentication
layer of the underlying operating system.
By design, the Windows 2000 SMTP service and the
Exchange Server 5.5 IMC, upon receiving notification from
the NTLM authentication layer that a user has been authenticated,
should perform additional checks before granting the user access
to the service. The vulnerability results because the affected
services don't perform this additional checking correctly. In
some cases, this could result in the SMTP service granting access
to a user solely on the basis of their ability to successfully
authenticate to the server.
An attacker who exploited the vulnerability could gain only
user-level privileges on the SMTP service, thereby enabling the
attacker to use the service but not to administer it. The most
likely purpose in exploiting the vulnerability would be to
perform mail relaying via the server.
Mitigating Factors:
====================
- Exchange 2000 servers are not affected by the vulnerability
because they correctly handle the authentication process to the
SMTP service.
- The vulnerability would not enable the attacker to read other
users' email, nor to send mail as other users.
- Best practices recommend disabling unneeded services. If the
SMTP service has been disabled, the mail relaying vulnerability
could not be exploited.
- The vulnerability would not grant administrative privileges to
the service, nor would it grant the attacker the ability to run
programs or operating system commands.
Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Low
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-011.asp
for information on obtaining this patch.
Acknowledgment:
===============
- BindView's RAZOR Team (http://razor.bindview.com)
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPH2VYI0ZSRQxA/UrAQFMsgf/ZoP5yg1R1qEQTDWhSJo07zG8Yg9fhKxt
UEWddDF4x+M8Mr7YQnYX+LMRjh35ptwbixIG/qrmr0AiaxwdrXFI2zI88FhN0WSa
nioVlHom2Q4hOOhK3lf7aLobo5I9qnEs9+ioOUIQtxzsMdl9CbyV8mhNfq8xPLqe
Sq7W26hNtz6IrHAS+AB4ccq8a9xmp5LQOUvAeKCmuMElX4IMjJkLGp0jhUTpHyoF
2RAqvrTriCmM33GMohQ1sR1YAhca5NqsK8p8Cw0iVLNzeIqIpKLhDjGdxHVBKxut
jAQGst+rQTeLhMr0YIXZ6E8QXckSuft+22PKxG0HBcpCm0c5e55dog==
=9GZH
-----END PGP SIGNATURE-----