Microsoft Security Bulletin MS02-025

From: Jerry Bryant [MS] (jbryant@online.microsoft.com)
Date: 05/29/02 

From: "Jerry Bryant [MS]" <jbryant@online.microsoft.com>
Date: Wed, 29 May 2002 13:17:05 -0700

Title: Malformed Mail Attribute can Cause Exchange 2000 to
            Exhaust CPU Resources (Q320436)
Date: 29 May 2002
Software: Microsoft Exchange
Impact: Denial of Service
Max Risk: Critical
Bulletin: MS02-025

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-025.asp.
- ----------------------------------------------------------------------

Issue:
======
To support the exchange of mail with heterogeneous systems,
Exchange messages use the attributes of SMTP mail messages that are
specified by RFC's 821 and 822. There is a flaw in the way Exchange 2000
handles certain malformed RFC message attributes on received mail. Upon
receiving a message containing such a malformation, the flaw causes the
Store service to consume 100% of the available CPU in processing the
message.

A security vulnerability results because it is possible for an attacker to
seek to exploit this flaw and mount a denial of service attack. An attacker
could attempt to levy an attack by connecting directly to the Exchange
server and passing a raw, hand-crafted mail message with a specially
malformed attribute. When the message was received and processed by the
Store service, the CPU would spike to 100%. The effects of the attack would
last as long as it took for the Exchange Store service to process the
message. Neither restarting the service nor rebooting the server would
remedy the denial of service.

Mitigating Factors:
====================
 - The effect of an attack via this vulnerability would be
   temporary. Once the server completed processing the
   message, normal operations would resume. However, it
   is not possible to halt the processing of the message
   once begun, even with a reboot.

 - The vulnerability does not provide any capability to
   compromise data on the server or gain administrative
   control over it.

 - Mounting a successful attack requires the ability to pass a
   hand-crafted message to the target system, most likely through
   a simulated server-based connection. It is not possible to
   craft a malformed message using an email client such as
   Outlook or Outlook Express.

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-025.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Mr. Allendoerfer (allendoerfer@uni-mainz.de);
   Mr. Koenig (koenig@uni-mainz.de);
   Mr. Kraemer (kraemer@uni-mainz.de);
   Mr. Schaal (schaal@uni-mainz.de);
   Mr. Tacke (tacke@uni-mainz.de) of the Computing Center,
   Johannes Gutenberg University Mainz, Germany
- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES
DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. 

--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • Re: Microsoft Security Bulletin MS02-025
    ... upgrade my entire Exchange organization to SP2 in order to apply this patch? ... > Software: Microsoft Exchange ... > seek to exploit this flaw and mount a denial of service attack. ...
    (microsoft.public.security)
  • RE: Email failed
    ... Microsoft CSS Online Newsgroup Support ... >> A. Run the CEICW and go through the Internet, firewall and Web Server ... >> Connector for POP3 Mailboxes" option. ... you could just leave the option unchanged, since your Exchange ...
    (microsoft.public.windows.server.sbs)
  • Re: WM5 can not sync to exchange
    ... On the SBS 2003 Server open the Server Management console. ... Specify the NetBIOS name of Exchange Server in order to avoid PPC ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: Catchall not working, EXTERNALLY?
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... to the exchange anymore. ... but we will start using the exchange server fully ...
    (microsoft.public.windows.server.sbs)
  • Re: Microsoft Exchange Routing Engine service does not start and logs events 7023
    ... Microsoft CSS Online Newsgroup Support ... You want to confirm whether perform exchange /reinstall will ... |> reinstall of IIS that I had to perform. ...
    (microsoft.public.windows.server.sbs)