Alert: Microsoft Security Bulletin - MS02-025

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 05/29/02

Date:         Wed, 29 May 2002 17:21:42 -0400
From: Russ <Russ.Cooper@RC.ON.CA>

Malformed Mail Attribute can Cause Exchange 2000 to Exhaust CPU Resources (Q320436)

Originally posted: May 29, 2002


Who should read this bulletin:System administrators using Exchange 2000.

Impact of vulnerability: Denial of service

Maximum Severity Rating: Critical

Recommendation: System administrators should apply the patch to servers running Exchange 2000

Affected Software:
- Microsoft Exchange 2000

Technical description:

To support the exchange of mail with heterogeneous systems, Exchange messages use the attributes of SMTP mail messages that are specified by RFC's 821 and 822. There is a flaw in the way Exchange 2000 handles certain malformed RFC message attributes on received mail. Upon receiving a message containing such a malformation, the flaw causes the Store service to consume 100% of the available CPU in processing the message.

A security vulnerability results because it is possible for an attacker to seek to exploit this flaw and mount a denial of service attack. An attacker could attempt to levy an attack by connecting directly to the Exchange server and passing a raw, hand-crafted mail message with a specially malformed attribute. When the message was received and processed by the Store service, the CPU would spike to 100%. The effects of the attack would last as long as it took for the Exchange Store service to process the message. Neither restarting the service nor rebooting the server would remedy the denial of service.

Mitigating factors:
- The effect of an attack via this vulnerability would be temporary. Once the server completed processing the message, normal operations would resume. However, it is not possible to halt the processing of the message once begun, even with a reboot.
- The vulnerability does not provide any capability to compromise data on the server or gain administrative control over it.
- Mounting a successful attack requires the ability to pass a hand-crafted message to the target system, most likely through a simulated server-based connection. It is not possible to craft a malformed message using an email client such as Outlook or Outlook Express.

Vulnerability identifier: CAN-2002-0368

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Relevant Pages