Fw: Microsoft Security Bulletin MS02-025: Malformed Mail Attribute can Cause Exchange 2000 to Exhaust CPU Resources (Q320436)
- From: "Mark Fugatt" <mark@xxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Wed, 29 May 2002 15:40:35 -0400
> Title: Malformed Mail Attribute can Cause Exchange 2000 to
> Exhaust CPU Resources (Q320436)
> Date: 29 May 2002
> Software: Microsoft Exchange
> Impact: Denial of Service
> Max Risk: Critical
> Bulletin: MS02-025
>
> Microsoft encourages customers to review the Security Bulletin at:
> http://www.microsoft.com/technet/security/bulletin/MS02-025.asp.
> - ----------------------------------------------------------------------
>
> Issue:
> ======
> To support the exchange of mail with heterogeneous systems,
> Exchange messages use the attributes of SMTP mail messages that
> are specified by RFC's 821 and 822. There is a flaw in the way
> Exchange 2000 handles certain malformed RFC message attributes
> on received mail. Upon receiving a message containing such
> a malformation, the flaw causes the Store service to consume
> 100% of the available CPU in processing the message.
>
> A security vulnerability results because it is possible for an
> attacker to seek to exploit this flaw and mount a denial of
> service attack. An attacker could attempt to levy an attack
> by connecting directly to the Exchange server and passing a
> raw, hand-crafted mail message with a specially malformed
> attribute. When the message was received and processed by the
> Store service, the CPU would spike to 100%. The effects of the
> attack would last as long as it took for the Exchange Store
> service to process the message. Neither restarting the service
> nor rebooting the server would remedy the denial of service.
>
> Mitigating Factors:
> ====================
> - The effect of an attack via this vulnerability would be
> temporary. Once the server completed processing the
> message, normal operations would resume. However, it
> is not possible to halt the processing of the message
> once begun, even with a reboot.
>
> - The vulnerability does not provide any capability to
> compromise data on the server or gain administrative
> control over it.
>
> - Mounting a successful attack requires the ability to pass a
> hand-crafted message to the target system, most likely through
> a simulated server-based connection. It is not possible to
> craft a malformed message using an email client such as
> Outlook or Outlook Express.
>
> Risk Rating:
> ============
> - Internet systems: Critical
> - Intranet systems: Critical
> - Client systems: None
>
> Patch Availability:
> ===================
> - A patch is available to fix this vulnerability. Please read the
> Security Bulletin at
> http://www.microsoft.com/technet/security/bulletin/ms02-025.asp
> for information on obtaining this patch.
>
> Acknowledgment:
> ===============
> - Mr. Allendoerfer (allendoerfer@xxxxxxxxxxxx);
> Mr. Koenig (koenig@xxxxxxxxxxxx);
> Mr. Kraemer (kraemer@xxxxxxxxxxxx);
> Mr. Schaal (schaal@xxxxxxxxxxxx);
> Mr. Tacke (tacke@xxxxxxxxxxxx) of the Computing Center,
> Johannes Gutenberg University Mainz, Germany
> - ---------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
> PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
> ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
> WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
> IN NO EVENT
> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
> DAMAGES
> WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
> LOSS OF
> BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
> ITS
> SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
> STATES DO
> NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
> OR
> INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQEVAwUBPPUZCI0ZSRQxA/UrAQHOdwgArEHNVboO1OjPt3cRNzxY1P3sgD8ajB0F
> mxmy4xbSCcwfMKPdUztFsup8LmzHEYxlYHjo1lS8RiptQEqONHZuhehUlbu8B82u
> 3ZU0aaQxnORLH9mpBTftTrJIebEog4bPDL+A9DxhSBRnsJvgHBKPYUqyx+6fky0J
> h+acANXiCXHvwfcvnOyp3eMCM5kkqGraZ1A6STtJUUItUhTRkHN7VveMu/a4BuT2
> vyVLsbHWRlfuBgb4ocjkRN8XUd4bZXXIomSEVn6yyOsJCTVamn4ALGWTI71sQ5EI
> 0QEPnxhrypkM/ujYxIpo5TGdhmiKyooU9zSrHsEGDUeYC/bLzcah/Q==
> =g7N5
> -----END PGP SIGNATURE-----
>
>
> *******************************************************************
>
> You have received this e-mail bulletin because of your subscription to the
Microsoft Product Security Notification Service. For more information on
this service, please visit
http://www.microsoft.com/technet/security/notify.asp.
>
> To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
>
> To unsubscribe from the Microsoft Security Notification Service, please
visit the Microsoft Profile Center at
http://register.microsoft.com/regsys/pic.asp
>
> If you do not wish to use Microsoft Passport, you can unsubscribe from the
Microsoft Security Notification Service via email as described below:
> Send an email to unsubscribe to the Service by following these steps:
> a. Send an e-mail to securrem@xxxxxxxxxxxxxx The subject line and the
message body are not used to process the subscription request, and can be
anything you like.
> b. Send the e-mail.
> c. You will receive a response, asking you to verify that you really want
to cancel your subscription. Compose a reply, and put "OK" in the message
body. (Without the quotes). Send the reply.
> d. You will receive an e-mail telling you that your name has been removed
from the subscriber list.
>
> For security-related information about Microsoft products, please visit
the Microsoft Security Advisor web site at
http://www.microsoft.com/security.
>
Other related posts:
