http://xforce.iss.net/alerts/advise4.php3 ISS Security Advisory July 24, 1998 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5 Synopsis: An attacker can disrupt an organization by crashing Microsoft Exchange Server over the network. This attack will stop e-mail and other services that Exchange provides for the organization. Recommended Action: Install vendor supplied hotfixes for Microsoft Exchange 5.0, and 5.5. Hotfixes are available for Exchange 5.0 and 5.5 at the following locations: Exchange Server 5.0 ALL LANGUAGES: [11]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.0/Post-SP2-STORE/ [12]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.0/Post-SP2-IMS/ Exchange Server 5.5 ENGLISH: [13]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.5/PostRTM/STORE-FIX [14]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 FRENCH: [15]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Frn/Exchg5.5/PostRTM/STORE-FIX [16]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Frn/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 GERMAN: [17]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Ger/Exchg5.5/PostRTM/STORE-FIX [18]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Ger/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 JAPANESE: [19]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Jpn/Exchg5.5/PostRTM/STORE-FIX [20]ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Jpn/Exchg5.5/PostRTM/IMS-FIX If you cannot apply the hotfix or service pack immediately, Microsoft recommends that you configure the Server Monitor in Microsoft Exchange Server Administrator to automatically restart the affected services if they stop. Determining if you are vulnerable: If you are running Microsoft Exchange 5.0 or 5.5 without appropriate hotfixes, you are vulnerable to the attacks. Description: There are vulnerabilities in the Exchange Internet Mail Service (IMS), the service that handles the SMTP protocol, and the Information Store, the service that handles the NNTP protocol, that will allow an attacker to crash the Internet Mail Service or the Information Store. These vulnerabilities are related to the way that the IMS handles the AUTH command and how the Information Store's NNTP server handles AUTHINFO. Both of these systems experience buffer overflow issues. A similar problem not related to the buffer overflow issue involves how IMS handles the AUTH command. This issue will also cause the service to crash. Note that when the Internet Mail Service crashes, the rest of Microsoft Exchange will still operate. When the Information Store crashes, Exchange Server cannot operate. Vulnerable Versions: Microsoft Exchange Server 5.0 and 5.5 are vulnerable without hotfixes applied Additional Information: There are two Microsoft Knowledge Base articles that address these issues -- Q188369 and Q188341. These can be obtained from Microsoft Support Online at [21]http://support.microsoft.com. ISS X-Force thanks the Microsoft Exchange group for providing assistance and patches to these issues in a timely fashion. These security issues were discovered by Jon Larimer of ISS X-Force <[22]jlarimer@iss.net>. -------- Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail [23]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [24]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: [25]http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force <[26]xforce@iss.net> of Internet Security Systems, Inc. [27]News | [28]Serious Fun | [29]Mail Lists | [30]Security Library [31]Protoworx | [32]Alerts | [33]Submissions | [34]Feedback [35]Advanced Search [36]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [37]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [38]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://xforce.iss.net/alerts/alerts.php3 11. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 12. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 13. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 14. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 15. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 16. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 17. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 18. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 19. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 20. ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes 21. http://support.microsoft.com/ 22. mailto:jlarimer@iss.net 23. mailto:xforce@iss.net 24. http://www.iss.net/xforce/sensitive.html 25. http://www.iss.net/xforce 26. mailto:xforce@iss.net 27. http://xforce.iss.net/news.php3 28. http://xforce.iss.net/seriousfun/ 29. http://xforce.iss.net/maillists/ 30. http://xforce.iss.net/library/ 31. http://xforce.iss.net/protoworx/ 32. http://xforce.iss.net/alerts/ 33. http://xforce.iss.net/submission.php3 34. http://xforce.iss.net/feedback.php3 35. http://xforce.iss.net/search.php3 36. http://xforce.iss.net/about.php3 37. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 38. http://xforce.iss.net/privacy.php3