Alert: Microsoft Security Bulletin MS04-002 - Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Tue, 13 Jan 2004 15:31:51 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Microsoft Security Bulletin MS04-002:
Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation
Version Number: V1.0
Revision Date: 01-13-2004
Impact of Vulnerability: Elevation of Privilege
Maximum Severity Rating: Moderate
Patch(es) Replaced: None
Caveats: Apply the update when a disruption in OWA and Simple Mail
Transfer Protocol (SMTP) mail flow and other Internet Information
Services (IIS) applications is acceptable.
CVE Number(s): CAN-2003-0904
* Microsoft Exchange Server 2003
Software Not Affected:
* Microsoft Exchange 2000 Server
* Microsoft Exchange Server 5.5
A vulnerability exists in the way that Hypertext Transfer Protocol
(HTTP) connections are reused when NTLM authentication is used between
front-end Exchange 2003 servers providing OWA access and , when running
Outlook Web Access (OWA) on Windows 2000 and Windows Server 2003, and
when using back-end Exchange 2003 servers that are running Windows
Users who access their mailboxes through an Exchange 2003 front-end
server and Outlook Web Access might get connected to another user's
mailbox if that other mailbox is (1) hosted on the same back-end mailbox
server and (2) if that mailbox has been recently accessed by its owner.
Attackers seeking to exploit this vulnerability could not predict which
mailbox they might become connected to. The vulnerability causes random
and unreliable access to mailboxes and is specifically limited to
mailboxes that have recently been accessed through OWA.
By default, Kerberos authentication is used as the HTTP authentication
method between Exchange Server 2003 front-end and back-end Exchange
servers. This behavior manifests itself only in deployments where OWA is
used in an Exchange front-end/back-end server configuration and Kerberos
has been disabled as an authentication method for OWA communication
between the front-end and back-end Exchange servers.
This vulnerability is exposed if the Web site that is running the
Exchange Server 2003 programs on the Exchange back-end server has been
configured not to negotiate Kerberos authentication, causing OWA to fall
back to using NTLM authentication. The only known way that this
vulnerability can be exposed is by a change in the default configuration
of Internet Information Services 6.0 on the Exchange back-end server.
This vulnerability cannot be exposed by a routine fallback to NTLM
because of a problem with Kerberos authentication. This configuration
change may occur when Microsoft Windows SharePoint Services (WSS) 2.0 is
installed on a Windows Server 2003 server that also functions as an
Exchange Server 2003 back-end.
This email is sent to NTBugtraq automagically as a service to my
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Editor's Note: The 43rd Most Powerful Person in Networking says...
Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.