MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: Potential SMTP and NNTP DoS Vulnerabilities in Exchange Server Report Number: iMCISE:IMCIMS:072498:01:P1R1 Report Date: 07/24/98 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- Microsoft Security Bulletin (MS98-007) ------------------------------------------------------------------------ Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Exchange Server Last Revision: July 24, 1998 Summary ======= Microsoft was recently alerted by Internet Security Systems, Inc.'s X-Force team (http://www.iss.net) of an issue with the way Microsoft(R) Exchange Server 5.5 and 5.0 process certain SMTP and NNTP protocol commands. By exploiting this vulnerability, a malicious attacker could cause specific Exchange services to stop responding. This issue does not affect Exchange Server 4.0. This issue involves a denial of service vulnerability that can potentially be used by someone with malicious intent to unexpectedly cause multiple components of the Microsoft Exchange Server to stop. It cannot be used to crash the underlying operating system, or affect other non-Exchange components on the system. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== For SMTP protocol: ------------------ If a malicious attacker connects to a Microsoft Exchange Server running the Internet Mail Service (TCP/IP port 25) and issues certain sequences of incorrect data, an application error could occur causing the Internet Mail Service to stop responding. This will not directly affect other Exchange-related services. If the Internet Mail Service fails due to this attack using the SMTP protocol, it can simply be restarted. It does not require a reboot of the operating system. For NNTP protocol: ------------------ If a malicious attacker connects to a Microsoft Exchange Server running the NNTP Service (TCP/IP port 119) and issues certain sequences of incorrect data, an application error could occur causing the Server Information Store to stop responding. If the Exchange Information Store stops responding, it could cause other Exchange services to fail as well. It would also cause user attempts to connect to their folders on the mail server to fail. If Exchange Information Store fails due to an attack using the NNTP protocol, the affected services can simply be re-started. It does not require a reboot of the operating system. No existing mail or news articles on the server will be lost. Any active user sessions that were committed when the shutdown occurred will be preserved. However, incomplete transactions may be lost, depending on what client software is used. Users may have to re-type mail or articles that were under composition (if they did not have AutoSave enabled in their mail client, or had not manually saved a Draft copy). Affected Software Versions ========================== - Microsoft Exchange Server, version 5.5 - Microsoft Exchange Server, version 5.0 (including 5.0 Service Pack 1 and 2) What Microsoft is Doing ======================= The Microsoft Exchange team has produced hotfixes for Microsoft Exchange Server versions 5.5 and 5.0. What customers should do ======================== Microsoft strongly recommends that customers running Microsoft Exchange Server version 5.5 or 5.0 should install the appropriate hotfixes. These hotfixes are currently available at the following locations. Please note that the URLs have been wrapped for readability. Exchange Server 5.0 ALL LANGUAGES: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.0/Post-SP2-STORE/ ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.0/Post-SP2-IMS/ Exchange Server 5.5 ENGLISH: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Eng/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 FRENCH: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Frn/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Frn/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 GERMAN: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Ger/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Ger/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 JAPANESE: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Jpn/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ Jpn/Exchg5.5/PostRTM/IMS-FIX Microsoft Exchange 4.0 is not affected. Administrative workaround ========================= Customers who cannot apply the hotfix can use the following workaround to temporarily address this issue: In the event that such an attack causes one or more services to stop, the service failure can be detected by the Server Monitor feature of Microsoft Exchange Server Administrator. The Server Monitor can be configured to automatically restart the affected Exchange services if they unexpectedly stop, reducing the impact of the service failure. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS98-007, Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Exchange Server (the web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-007.htm - Microsoft Knowledge Base (KB) article Q188341, XFOR: AUTH/EHLO Commands Cause Internet Mail Service to Stop, http://support.microsoft.com/support/kb/articles/q188/3/41.asp - Microsoft Knowledge Base (KB) article Q188369, XADM: AUTHINFO Command Causes Information Store Problems, http://support.microsoft.com/support/kb/articles/q188/3/69.asp - Microsoft Exchange web site, http://www.microsoft.com/exchange Revisions ========= - July 24, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ------------------------------------------------------------------------ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (C) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.