RE: Microsoft Security Bulletin MS02-011

From: Skinner, Kit (KSkinner@sandstream.com)
Date: 02/28/02


From: "Skinner, Kit" <KSkinner@sandstream.com>
To: focus-ms@securityfocus.com
Date: Thu, 28 Feb 2002 16:46:37 -0000

Does anyone have any details about the "Authentication Flaw" in question?
Apparently the SMTP service gets back from the NTLM that a user was
authenticated, but then SMTP should "perform additional checks before
granting the user access to the service." What additional checks are they
talking about?

 * Are they considering an anonymous connection "authenticated"?
 * Are they considering a Guest user as authenticated and then the service
is granting that account User Rights?
 * Is NTLM giving a false positive on the authentication?

The obviously if its the last one, it'd be a HUGE issue, so I doubt that's
it.

I assume its something like one of the first two in which NTLM says "yup,
that's an account in my database and that's their password," and SMTP just
figures that's good enough and doesn't consider an account in the Guest
group and not the Users group. If this is the case, this could legitimately
break an installation, because someone might setup a service account on a
remote server as a guest on the SMTP server trying to give it *only* the
ability to relay messages and nothing more.

However, if its the first one (which I also doubt), how can an anonymous
user be considered "authenticated"? Anyone got any ideas.

Or is it something else entirely? Anyone got any ideas?

Anyone from RAZOR subscribe to this list and can give us more details?

Thanks in advanced,
-K

-----Original Message-----
From: Microsoft
[mailto:0_26426_939846D7-5389-7A41-BAEA-24C8A372DF46_US@Newsletters.Micr
osoft.com]
Sent: Wednesday, February 27, 2002 9:45 PM
To: kskinner@sandstream.com
Subject: Microsoft Security Bulletin MS02-011

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Authentication Flaw Could Allow Unauthorized Users To
            Authenticate To SMTP Service
Date: 27 February 2002
Software: Microsoft Windows 2000; Microsoft Exchange Server 5.5
Impact: Mail Relaying
Max Risk: Low
Bulletin: MS02-011

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-011.asp.
- ----------------------------------------------------------------------

Issue:
======
An SMTP service installs by default as part of Windows 2000 server
products and as part of the Internet Mail Connector (IMC) for
Microsoft Exchange Server 5.5. (The IMC, also known as the
Microsoft Exchange Internet Mail Service, provides access and
message exchange to and from any system that uses SMTP). A
vulnerability results in both services because of a flaw in the
way they handle a valid response from the NTLM authentication
layer of the underlying operating system.

By design, the Windows 2000 SMTP service and the
Exchange Server 5.5 IMC, upon receiving notification from
the NTLM authentication layer that a user has been authenticated,
should perform additional checks before granting the user access
to the service. The vulnerability results because the affected
services don't perform this additional checking correctly. In
some cases, this could result in the SMTP service granting access
to a user solely on the basis of their ability to successfully
authenticate to the server.

An attacker who exploited the vulnerability could gain only
user-level privileges on the SMTP service, thereby enabling the
attacker to use the service but not to administer it. The most
likely purpose in exploiting the vulnerability would be to
perform mail relaying via the server.

Mitigating Factors:
====================
 - Exchange 2000 servers are not affected by the vulnerability
   because they correctly handle the authentication process to the
   SMTP service.

 - The vulnerability would not enable the attacker to read other
   users' email, nor to send mail as other users.

 - Best practices recommend disabling unneeded services. If the
   SMTP service has been disabled, the mail relaying vulnerability
   could not be exploited.

 - The vulnerability would not grant administrative privileges to
   the service, nor would it grant the attacker the ability to run
   programs or operating system commands.

Risk Rating:
============
 - Internet systems: Low
 - Intranet systems: Low
 - Client systems: Low

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-011.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - BindView's RAZOR Team (http://razor.bindview.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPH2VYI0ZSRQxA/UrAQFMsgf/ZoP5yg1R1qEQTDWhSJo07zG8Yg9fhKxt
UEWddDF4x+M8Mr7YQnYX+LMRjh35ptwbixIG/qrmr0AiaxwdrXFI2zI88FhN0WSa
nioVlHom2Q4hOOhK3lf7aLobo5I9qnEs9+ioOUIQtxzsMdl9CbyV8mhNfq8xPLqe
Sq7W26hNtz6IrHAS+AB4ccq8a9xmp5LQOUvAeKCmuMElX4IMjJkLGp0jhUTpHyoF
2RAqvrTriCmM33GMohQ1sR1YAhca5NqsK8p8Cw0iVLNzeIqIpKLhDjGdxHVBKxut
jAQGst+rQTeLhMr0YIXZ6E8QXckSuft+22PKxG0HBcpCm0c5e55dog==
=9GZH
-----END PGP SIGNATURE-----

*******************************************************************

You have received this e-mail bulletin as a result of your subscription to
the Microsoft Product Security Notification Service. For more information
on this service, please visit
http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

To cancel your subscription, click on the following link
mailto:1_26426_939846D7-5389-7A41-BAEA-24C8A372DF46_US@Newsletters.Microsoft
.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.

To stop all e-mail newsletters from microsoft.com, click on the following
link
mailto:2_26426_939846D7-5389-7A41-BAEA-24C8A372DF46_US@Newsletters.Microsoft
.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all
your Microsoft.com communication preferences from
http://www.microsoft.com/misc/unsubscribe.htm

For security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.



Relevant Pages

  • Alert:Microsoft Security Bulletin - MS02-011
    ... Exchange 2000 servers are not affected by the vulnerability because they correctly handle the authentication process to the SMTP service. ... FREE White Paper shows you how to ensure TOTAL security for your Internet ...
    (NT-Bugtraq)
  • Alert:Microsoft Security Bulletin - MS02-011
    ... Exchange 2000 servers are not affected by the vulnerability because they correctly handle the authentication process to the SMTP service. ... If the SMTP service has been disabled, the mail relaying vulnerability could not be exploited. ...
    (NT-Bugtraq)
  • Re: error 0x85010004 on wm5 with exchange sp1
    ... this issue occurs when the related settings in IIS is ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Select Edit in Authentication and access control box. ...
    (microsoft.public.windows.server.sbs)
  • Re: Question For Any FrontPage Users Publishing Webs from SBS 2003
    ... | Subject: Re: Question For Any FrontPage Users Publishing Webs from SBS ... Produced By Microsoft MimeOLE V6.00.2900.2670 ... Please disable request authentication on ISA to allow the anonymous ... |> Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Web Workplace Issues-Please help!
    ... Microsoft CSS Online Newsgroup Support ... <825763 How to configure Internet access in Windows Small Business Server ... <client after Authentication" right. ... <38110201-Remote Web Workplace Issues-Please help! ...
    (microsoft.public.windows.server.sbs)