************************************************************************* Security Bulletin 9818 DISA Defense Communications System July 27, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Microsoft ! ! Product Security Response Team and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= Microsoft Security Bulletin (MS98-007) ------------------------------------------------------------------------ Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Exchange Server Last Revision: July 24, 1998 Summary ======= Microsoft was recently alerted by Internet Security Systems, Inc.'s X-Force team (http://www.iss.net) of an issue with the way Microsoft(R) Exchange Server 5.5 and 5.0 process certain SMTP and NNTP protocol commands. By exploiting this vulnerability, a malicious attacker could cause specific Exchange services to stop responding. This issue does not affect Exchange Server 4.0. This issue involves a denial of service vulnerability that can potentially be used by someone with malicious intent to unexpectedly cause multiple components of the Microsoft Exchange Server to stop. It cannot be used to crash the underlying operating system, or affect other non-Exchange components on the system. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== For SMTP protocol: ------------------ If a malicious attacker connects to a Microsoft Exchange Server running the Internet Mail Service (TCP/IP port 25) and issues certain sequences of incorrect data, an application error could occur causing the Internet Mail Service to stop responding. This will not directly affect other Exchange-related services. If the Internet Mail Service fails due to this attack using the SMTP protocol, it can simply be restarted. It does not require a reboot of the operating system. For NNTP protocol: ------------------ If a malicious attacker connects to a Microsoft Exchange Server running the NNTP Service (TCP/IP port 119) and issues certain sequences of incorrect data, an application error could occur causing the Server Information Store to stop responding. If the Exchange Information Store stops responding, it could cause other Exchange services to fail as well. It would also cause user attempts to connect to their folders on the mail server to fail. If Exchange Information Store fails due to an attack using the NNTP protocol, the affected services can simply be re-started. It does not require a reboot of the operating system. No existing mail or news articles on the server will be lost. Any active user sessions that were committed when the shutdown occurred will be preserved. However, incomplete transactions may be lost, depending on what client software is used. Users may have to re-type mail or articles that were under composition (if they did not have AutoSave enabled in their mail client, or had not manually saved a Draft copy). Affected Software Versions ========================== - Microsoft Exchange Server, version 5.5 - Microsoft Exchange Server, version 5.0 (including 5.0 Service Pack 1 and 2) What Microsoft is Doing ======================= The Microsoft Exchange team has produced hotfixes for Microsoft Exchange Server versions 5.5 and 5.0. What customers should do ======================== Microsoft strongly recommends that customers running Microsoft Exchange Server version 5.5 or 5.0 should install the appropriate hotfixes. These hotfixes are currently available at the following locations. Please note that the URLs have been wrapped for readability. Exchange Server 5.0 ALL LANGUAGES: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.0/Post-SP2-STORE/ ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.0/Post-SP2-IMS/ Exchange Server 5.5 ENGLISH: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 FRENCH: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Frn/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Frn/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 GERMAN: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Ger/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Ger/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 JAPANESE: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Jpn/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Jpn/Exchg5.5/PostRTM/IMS-FIX Microsoft Exchange 4.0 is not affected. Administrative workaround ========================= Customers who cannot apply the hotfix can use the following workaround to temporarily address this issue: In the event that such an attack causes one or more services to stop, the service failure can be detected by the Server Monitor feature of Microsoft Exchange Server Administrator. The Server Monitor can be configured to automatically restart the affected Exchange services if they unexpectedly stop, reducing the impact of the service failure. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS98-007, Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Exchange Server (the web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-007.htm - Microsoft Knowledge Base (KB) article Q188341, XFOR: AUTH/EHLO Commands Cause Internet Mail Service to Stop, http://support.microsoft.com/support/kb/articles/q188/3/41.asp - Microsoft Knowledge Base (KB) article Q188369, XADM: AUTHINFO Command Causes Information Store Problems, http://support.microsoft.com/support/kb/articles/q188/3/69.asp - Microsoft Exchange web site, http://www.microsoft.com/exchange Revisions ========= - July 24, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ------------------------------------------------------------------------ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (C) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.