Alert:Microsoft Security Bulletin - MS02-011

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 03/20/02


Date:         Wed, 20 Mar 2002 03:16:42 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-011.asp

Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service

Originally posted: February 27, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Windows® 2000 or Exchange® Server 5.5

Impact of vulnerability: Mail relaying.

Maximum Severity Rating: Low

Recommendation: Customers who need the Windows 2000 SMTP services should apply the Windows patch; all others should disable the SMTP service. Customers using the Exchange Server 5.5 IMC should apply the Exchange Server 5.5 IMC patch.

Affected Software:
- Microsoft Windows 2000
- Microsoft Exchange Server 5.5

Technical description:

An SMTP service installs by default as part of Windows 2000 server products and as part of the Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5. (The IMC, also known as the Microsoft Exchange Internet Mail Service, provides access and message exchange to and from any system that uses SMTP). A vulnerability results in both services because of a flaw in the way they handle a valid response from the NTLM authentication layer of the underlying operating system.

By design, the Windows 2000 SMTP service and the Exchange Server 5.5 IMC, upon receiving notification from the NTLM authentication layer that a user has been authenticated, should perform additional checks before granting the user access to the service. The vulnerability results because the affected services don't perform this additional checking correctly. In some cases, this could result in the SMTP service granting access to a user solely on the basis of their ability to successfully authenticate to the server.

An attacker who exploited the vulnerability could gain only user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server.

Mitigating factors:
- Exchange 2000 servers are not affected by the vulnerability because they correctly handle the authentication process to the SMTP service.
- The vulnerability would not enable the attacker to read other users' email, nor to send mail as other users.
- Best practices recommend disabling unneeded services. If the SMTP service has been disabled, the mail relaying vulnerability could not be exploited.
- The vulnerability would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands.

Vulnerability identifier: CAN-2002-0054

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor



Relevant Pages

  • RE: Microsoft Security Bulletin MS02-011
    ... Does anyone have any details about the "Authentication Flaw" in question? ... Apparently the SMTP service gets back from the NTLM that a user was ... Subject: Microsoft Security Bulletin MS02-011 ... The vulnerability results because the affected ...
    (Focus-Microsoft)
  • Alert:Microsoft Security Bulletin - MS02-011
    ... Exchange 2000 servers are not affected by the vulnerability because they correctly handle the authentication process to the SMTP service. ... FREE White Paper shows you how to ensure TOTAL security for your Internet ...
    (NT-Bugtraq)
  • [NT] Malformed Data Transfer Request Causes Windows SMTP Service to Fail
    ... An SMTP service installs by default as part of Windows 2000 server ... the native Windows 2000 SMTP service rather than providing its own. ... affected by the vulnerability. ... Professional, and Windows XP Professional, but does not install by default ...
    (Securiteam)
  • Re: Microsoft Security Bulletin - MS02-011 and MS02-012
    ... After reading the two new bulletins, some may find them a bit confusing. ... SMTP service is involved. ... MS02-011 involves a vulnerability that affects not only the ... Since Windows 2000 Pro and Windows ...
    (NT-Bugtraq)
  • More Authorization Questions
    ... authentication, and yet still be able to receive emails ... server open for anonymous relay and have spammers use my ... I tried adding IP ranges to the Relay Restrictions list, ... It's as if the SMTP service ...
    (microsoft.public.inetserver.iis.smtp_nntp)