Microsoft Security Bulletin MS02-011 Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service Originally posted: February 27, 2002 Summary Who should read this bulletin: Customers using Microsoft(r) Windows(r) 2000 or Exchange(r) Server 5.5 Impact of vulnerability: Mail relaying. Maximum Severity Rating: Low Recommendation: Customers who need the Windows 2000 SMTP services should apply the Windows patch; all others should disable the SMTP service. Customers using the Exchange Server 5.5 IMC should apply the Exchange Server 5.5 IMC patch. Affected Software: Microsoft Windows 2000 Microsoft Exchange Server 5.5 Technical details Technical description: An SMTP service installs by default as part of Windows 2000 server products and as part of the Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5. (The IMC, also known as the Microsoft Exchange Internet Mail Service, provides access and message exchange to and from any system that uses SMTP). A vulnerability results in both services because of a flaw in the way they handle a valid response from the NTLM authentication layer of the underlying operating system. By design, the Windows 2000 SMTP service and the Exchange Server 5.5 IMC, upon receiving notification from the NTLM authentication layer that a user has been authenticated, should perform additional checks before granting the user access to the service. The vulnerability results because the affected services don't perform this additional checking correctly. In some cases, this could result in the SMTP service granting access to a user solely on the basis of their ability to successfully authenticate to the server. An attacker who exploited the vulnerability could gain only user- level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server. Mitigating factors: Exchange 2000 servers are not affected by the vulnerability because they correctly handle the authentication process to the SMTP service. The vulnerability would not enable the attacker to read other users' email, nor to send mail as other users. Best practices recommend disabling unneeded services. If the SMTP service has been disabled, the mail relaying vulnerability could not be exploited. The vulnerability would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands. Severity Rating: Low Internet Servers Intranet Servers Client Systems Windows 2000 Low Low Low Microsoft Exchange 5.5 Low Low None The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. An attacker could only relay mail and would not be able to read mail, gain system privileges or run programs. Vulnerability identifier: CAN-2002-0054 Tested Versions: Microsoft tested Windows 2000, Windows NT(r) 4.0, Exchange Server 5.5 and Exchange Server 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Frequently asked questions What's the scope of the vulnerability? This vulnerability could enable an unauthorized user to consume resources of a mail server without authorization. This could enable an attacker to disguise the origination point of a mail, or co-opt a server's resources for mass mailings. This vulnerability is subject to constraints: It would only affect servers running the Exchange Server 5.5 Internet Mail Connector service or the native Windows 2000 SMTP service. It would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands. Mail servers running Exchange 2000 are not be affected by this vulnerability. What causes the vulnerability? The vulnerability results because of an authentication error affecting both the SMTP service in Windows 2000 and the Exchange Server 5.5 Internet Mail Connector. Both of these services should perform additional checking before granting mail privileges to a user who has authenticated to the server; however, they do not do so correctly. What is SMTP? SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery of mail via the Internet, defined in RFCs 2821 and 2822 . The protocol defines the format of mail messages, the fields in them and their contents, and the handling procedures for mails. An SMTP service is provided with Windows 2000 and installs by default on server products. What is the Exchange 5.5 Internet Mail Connector? The Internet Mail Connector (IMC) is the component in Exchange Server 5.5 that allows mail to be sent to and received from other servers that use SMTP. It installs by default as part of Exchange Server 5.5, and is also sometimes referred to as the Exchange Server 5.5 Internet Mail Service. What's wrong with the Windows 2000 SMTP service and the Exchange Server 5.5 IMC? Before a user can make use of a mail service, they first must authenticate to the server. But even if this is done successfully, the mail services themselves should perform additional checking to ensure that it's appropriate to let the user access them. Neither the Windows 2000 SMTP service nor the Exchange Server 5.5 IMC perform this additional checking correctly. The result is that a user who could successfully authenticate to the server would always have the ability to use the mail services, even if it's not appropriate. What would this enable the attacker to do? The vulnerability would enable an attacker to levy mail requests as an authorized user. That is, it would enable the attacker to send mail. The most likely use of this vulnerability would be in performing mail relaying. What's mail relaying? Mail relaying is a practice in which e-mail is routed to an intermediate mail server, which then delivers it to the recipient's mail server. Mail relaying is often a legitimate practice. For example, suppose a company with several servers has designated one of them as a mail gateway to the Internet. Any e-mail sent to the company would arrive at the gateway server, and then be relayed to the appropriate server for delivery to the recipient. However, malicious users also sometimes try to perform unauthorized mail relaying. For example, a spammer who has a low-end server and a slow network connection might use mail relaying in order to get someone else's higher-powered mail server and fast network connection to send spam on their behalf. Mail relaying also has been misused to disguise the point of origination for an email. Would the vulnerability allow the attacker to take any other actions on the server? The vulnerability would only confer user-level privileges on the SMTP service to the attacker - it would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands, nor would it allow the attacker to read, create, or send other users' mail. Does this affect all Windows 2000 servers? A Windows 2000 server would only be affected by it if the SMTP service is installed and running. This is the default configuration; however Microsoft always recommends reviewing the list of services and disabling any that aren't needed. Does the vulnerability affect the SMTP service in Windows NT 4.0? No. Only the SMTP services that ship with Windows 2000 or the Exchange Server 5.5 IMC are affected. Does this vulnerability affect Windows XP Professional? Windows XP Professional was tested and is not affected by this vulnerability. I'm running Exchange Server 5.5 on a Windows 2000 system. Should I apply the Windows 2000 patch or the Exchange Server 5.5. patch? Administrators of Exchange 5.5 only need apply the latest IMC patch described below. It is not necessary to apply the Windows 2000 patch. I'm running Exchange Server 2000. Do I need a patch? No. Even though Exchange Server 2000 can be installed on a Windows 2000 server (and indeed, it is the only system it can be installed on), Exchange Server 2000 is not affected by this vulnerability. Exchange Server 2000 installs components that perform the additional checking correctly. What does the patch do? The patch eliminates the vulnerability by ensuring that the SMTP service properly authenticates users before allowing them to levy requests on it. Patch availability Download locations for this patch Microsoft Windows 2000 Server, Professional and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID= 36556 Exchange Server 5.5: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3342 3 Microsoft Windows 2000 Datacenter Server: Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer. Additional information about this patch Installation platforms: The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 The Exchange Server 5.5 patch can be installed on systems running Exchange Server 5.5 Service Pack 4 Inclusion in future service packs: The fix for this issue will be included in Windows 2000 SP3. At this time there are no plans for another Exchange Server 5.5 service pack. Reboot needed: Yes Superseded patches: None. Superceding patches: The patch for MS02-012 contains this fix for Windows 2000. Verifying patch installation: Exchange Server 5.5: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the Exchange Server 5.5 machine: HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange 5.5\SP5\Q289258. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange 5.5\SP5\Q289258\filelist. Windows 2000: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the Windows 2000 machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window s 2000\SP3\Q313450. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window s 2000\SP3\Q313450\Filelist. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks BindView's RAZOR Team for reporting this issue to us and working with us to protect customers. Support: Microsoft Knowledge Base article Q313450 and Q289258 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (February 27, 2002): Bulletin Created. _____________________________________________________________________ ** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE! ** SEND ALL COMMANDS TO: LISTSERV@xxxxxxxxxxxxxxxxxxxxxxx ** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"