-----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Malformed Mail Attribute can Cause Exchange 2000 to Exhaust CPU Resources (Q320436) Date: 29 May 2002 Software: Microsoft Exchange Impact: Denial of Service Max Risk: Critical Bulletin: MS02-025 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-025.asp. - ---------------------------------------------------------------------- Issue: ====== To support the exchange of mail with heterogeneous systems, Exchange messages use the attributes of SMTP mail messages that are specified by RFC's 821 and 822. There is a flaw in the way Exchange 2000 handles certain malformed RFC message attributes on received mail. Upon receiving a message containing such a malformation, the flaw causes the Store service to consume 100% of the available CPU in processing the message. A security vulnerability results because it is possible for an attacker to seek to exploit this flaw and mount a denial of service attack. An attacker could attempt to levy an attack by connecting directly to the Exchange server and passing a raw, hand-crafted mail message with a specially malformed attribute. When the message was received and processed by the Store service, the CPU would spike to 100%. The effects of the attack would last as long as it took for the Exchange Store service to process the message. Neither restarting the service nor rebooting the server would remedy the denial of service. Mitigating Factors: ==================== - The effect of an attack via this vulnerability would be temporary. Once the server completed processing the message, normal operations would resume. However, it is not possible to halt the processing of the message once begun, even with a reboot. - The vulnerability does not provide any capability to compromise data on the server or gain administrative control over it. - Mounting a successful attack requires the ability to pass a hand-crafted message to the target system, most likely through a simulated server-based connection. It is not possible to craft a malformed message using an email client such as Outlook or Outlook Express. Risk Rating: ============ - Internet systems: Critical - Intranet systems: Critical - Client systems: None Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-025.asp for information on obtaining this patch. Acknowledgment: =============== - Mr. Allendoerfer (allendoerfer@uni-mainz.de); Mr. Koenig (koenig@uni-mainz.de); Mr. Kraemer (kraemer@uni-mainz.de); Mr. Schaal (schaal@uni-mainz.de); Mr. Tacke (tacke@uni-mainz.de) of the Computing Center, Johannes Gutenberg University Mainz, Germany - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPPUZCI0ZSRQxA/UrAQHOdwgArEHNVboO1OjPt3cRNzxY1P3sgD8ajB0F mxmy4xbSCcwfMKPdUztFsup8LmzHEYxlYHjo1lS8RiptQEqONHZuhehUlbu8B82u 3ZU0aaQxnORLH9mpBTftTrJIebEog4bPDL+A9DxhSBRnsJvgHBKPYUqyx+6fky0J h+acANXiCXHvwfcvnOyp3eMCM5kkqGraZ1A6STtJUUItUhTRkHN7VveMu/a4BuT2 vyVLsbHWRlfuBgb4ocjkRN8XUd4bZXXIomSEVn6yyOsJCTVamn4ALGWTI71sQ5EI 0QEPnxhrypkM/ujYxIpo5TGdhmiKyooU9zSrHsEGDUeYC/bLzcah/Q== =g7N5 -----END PGP SIGNATURE-----