> Title: Malformed Mail Attribute can Cause Exchange 2000 to > Exhaust CPU Resources (Q320436) > Date: 29 May 2002 > Software: Microsoft Exchange > Impact: Denial of Service > Max Risk: Critical > Bulletin: MS02-025 > > Microsoft encourages customers to review the Security Bulletin at: > http://www.microsoft.com/technet/security/bulletin/MS02-025.asp. > - ---------------------------------------------------------------------- > > Issue: > ====== > To support the exchange of mail with heterogeneous systems, > Exchange messages use the attributes of SMTP mail messages that > are specified by RFC's 821 and 822. There is a flaw in the way > Exchange 2000 handles certain malformed RFC message attributes > on received mail. Upon receiving a message containing such > a malformation, the flaw causes the Store service to consume > 100% of the available CPU in processing the message. > > A security vulnerability results because it is possible for an > attacker to seek to exploit this flaw and mount a denial of > service attack. An attacker could attempt to levy an attack > by connecting directly to the Exchange server and passing a > raw, hand-crafted mail message with a specially malformed > attribute. When the message was received and processed by the > Store service, the CPU would spike to 100%. The effects of the > attack would last as long as it took for the Exchange Store > service to process the message. Neither restarting the service > nor rebooting the server would remedy the denial of service. > > Mitigating Factors: > ==================== > - The effect of an attack via this vulnerability would be > temporary. Once the server completed processing the > message, normal operations would resume. However, it > is not possible to halt the processing of the message > once begun, even with a reboot. > > - The vulnerability does not provide any capability to > compromise data on the server or gain administrative > control over it. > > - Mounting a successful attack requires the ability to pass a > hand-crafted message to the target system, most likely through > a simulated server-based connection. It is not possible to > craft a malformed message using an email client such as > Outlook or Outlook Express. > > Risk Rating: > ============ > - Internet systems: Critical > - Intranet systems: Critical > - Client systems: None > > Patch Availability: > =================== > - A patch is available to fix this vulnerability. Please read the > Security Bulletin at > http://www.microsoft.com/technet/security/bulletin/ms02-025.asp > for information on obtaining this patch. > > Acknowledgment: > =============== > - Mr. Allendoerfer (allendoerfer@xxxxxxxxxxxx); > Mr. Koenig (koenig@xxxxxxxxxxxx); > Mr. Kraemer (kraemer@xxxxxxxxxxxx); > Mr. Schaal (schaal@xxxxxxxxxxxx); > Mr. Tacke (tacke@xxxxxxxxxxxx) of the Computing Center, > Johannes Gutenberg University Mainz, Germany > - --------------------------------------------------------------------- > > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS > ALL > WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. > IN NO EVENT > SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY > DAMAGES > WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, > LOSS OF > BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR > ITS > SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME > STATES DO > NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL > OR > INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.1 > > iQEVAwUBPPUZCI0ZSRQxA/UrAQHOdwgArEHNVboO1OjPt3cRNzxY1P3sgD8ajB0F > mxmy4xbSCcwfMKPdUztFsup8LmzHEYxlYHjo1lS8RiptQEqONHZuhehUlbu8B82u > 3ZU0aaQxnORLH9mpBTftTrJIebEog4bPDL+A9DxhSBRnsJvgHBKPYUqyx+6fky0J > h+acANXiCXHvwfcvnOyp3eMCM5kkqGraZ1A6STtJUUItUhTRkHN7VveMu/a4BuT2 > vyVLsbHWRlfuBgb4ocjkRN8XUd4bZXXIomSEVn6yyOsJCTVamn4ALGWTI71sQ5EI > 0QEPnxhrypkM/ujYxIpo5TGdhmiKyooU9zSrHsEGDUeYC/bLzcah/Q== > =g7N5 > -----END PGP SIGNATURE----- > > > ******************************************************************* > > You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. > > To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. > > To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp > > If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: > Send an email to unsubscribe to the Service by following these steps: > a. Send an e-mail to securrem@xxxxxxxxxxxxxx The subject line and the message body are not used to process the subscription request, and can be anything you like. > b. Send the e-mail. > c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply. > d. You will receive an e-mail telling you that your name has been removed from the subscriber list. > > For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. >