-----BEGIN PGP SIGNED MESSAGE-----
Here's the official word folks...
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^ Habeeb J. Dihu
-' `- Practice Manager -- Risk Management Practice
" ' ` " Cirrus Technologies
" ' ` "
" ' . ` "
" ' .' ` ` " 'I don't believe in the no-win scenario'
" ` ' `' " -- Captain James T. Kirk, Star Trek II:
TWK
` ' _ _ ' 'There is an old Vulcan proverb, `Only Nixon
' could go to China.`'
-- Captain Spock, Star Trek VI: TUC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- -----Original Message-----
From: Microsoft Product Security Notification Service
[mailto:MICROSOFT_SECURITYat_private] On Behalf Of
Microsoft Product Security Response Team
Sent: Saturday, July 25, 1998 12:47 AM
To: MICROSOFT_SECURITYat_private
Subject: Microsoft Security Bulletin (MS98-007)
Microsoft Security Bulletin (MS98-007)
- ------------------------------------------------------------------------
Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Exchange
Server
Last Revision: July 24, 1998
Summary
=======
Microsoft was recently alerted by Internet Security Systems, Inc.'s
X-Force
team (http://www.iss.net) of an issue with the way Microsoft(R)
Exchange
Server 5.5 and 5.0 process certain SMTP and NNTP protocol commands. By
exploiting this vulnerability, a malicious attacker could cause
specific
Exchange services to stop responding. This issue does not affect
Exchange
Server 4.0.
This issue involves a denial of service vulnerability that can
potentially
be used by someone with malicious intent to unexpectedly cause
multiple
components of the Microsoft Exchange Server to stop. It cannot be used
to
crash the underlying operating system, or affect other non-Exchange
components on the system.
The purpose of this bulletin is to inform Microsoft customers of this
issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further secure its
customers.
Issue
=====
For SMTP protocol:
- ------------------
If a malicious attacker connects to a Microsoft Exchange Server
running the
Internet Mail Service (TCP/IP port 25) and issues certain sequences of
incorrect data, an application error could occur causing the Internet
Mail
Service to stop responding. This will not directly affect other
Exchange-related services.
If the Internet Mail Service fails due to this attack using the SMTP
protocol, it can simply be restarted. It does not require a reboot of
the
operating system.
For NNTP protocol:
- ------------------
If a malicious attacker connects to a Microsoft Exchange Server
running the
NNTP Service (TCP/IP port 119) and issues certain sequences of
incorrect
data, an application error could occur causing the Server Information
Store
to stop responding. If the Exchange Information Store stops
responding, it
could cause other Exchange services to fail as well. It would also
cause
user attempts to connect to their folders on the mail server to fail.
If Exchange Information Store fails due to an attack using the NNTP
protocol, the affected services can simply be re-started. It does not
require a reboot of the operating system. No existing mail or news
articles
on the server will be lost. Any active user sessions that were
committed
when the shutdown occurred will be preserved. However, incomplete
transactions may be lost, depending on what client software is used.
Users
may have to re-type mail or articles that were under composition (if
they
did not have AutoSave enabled in their mail client, or had not
manually
saved a Draft copy).
Affected Software Versions
==========================
- Microsoft Exchange Server, version 5.5
- Microsoft Exchange Server, version 5.0 (including 5.0 Service
Pack 1 and 2)
What Microsoft is Doing
=======================
The Microsoft Exchange team has produced hotfixes for Microsoft
Exchange
Server versions 5.5 and 5.0.
What customers should do
========================
Microsoft strongly recommends that customers running Microsoft
Exchange
Server version 5.5 or 5.0 should install the appropriate hotfixes.
These
hotfixes are currently available at the following
locations. Please note that the URLs have been wrapped for
readability.
Exchange Server 5.0 ALL LANGUAGES:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Eng/Exchg5.0/Post-SP2-STORE/
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Eng/Exchg5.0/Post-SP2-IMS/
Exchange Server 5.5 ENGLISH:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Eng/Exchg5.5/PostRTM/STORE-FIX
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Eng/Exchg5.5/PostRTM/IMS-FIX
Exchange Server 5.5 FRENCH:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Frn/Exchg5.5/PostRTM/STORE-FIX
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Frn/Exchg5.5/PostRTM/IMS-FIX
Exchange Server 5.5 GERMAN:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Ger/Exchg5.5/PostRTM/STORE-FIX
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Ger/Exchg5.5/PostRTM/IMS-FIX
Exchange Server 5.5 JAPANESE:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Jpn/Exchg5.5/PostRTM/STORE-FIX
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
Jpn/Exchg5.5/PostRTM/IMS-FIX
Microsoft Exchange 4.0 is not affected.
Administrative workaround
=========================
Customers who cannot apply the hotfix can use the following workaround
to
temporarily address this issue:
In the event that such an attack causes one or more services to stop,
the
service failure can be detected by the Server Monitor feature of
Microsoft
Exchange Server Administrator. The Server Monitor can be configured to
automatically restart the affected Exchange services if they
unexpectedly
stop, reducing the impact of the service failure.
More Information
================
Please see the following references for more information related to
this
issue.
- Microsoft Security Bulletin MS98-007, Potential SMTP and NNTP
Denial-of-Service Vulnerabilities in Exchange Server (the
web-posted
version of this bulletin),
http://www.microsoft.com/security/bulletins/ms98-007.htm
- Microsoft Knowledge Base (KB) article Q188341, XFOR: AUTH/EHLO
Commands Cause Internet Mail Service to Stop,
http://support.microsoft.com/support/kb/articles/q188/3/41.asp
- Microsoft Knowledge Base (KB) article Q188369, XADM: AUTHINFO
Command Causes Information Store Problems,
http://support.microsoft.com/support/kb/articles/q188/3/69.asp
- Microsoft Exchange web site, http://www.microsoft.com/exchange
Revisions
=========
- July 24, 1998: Bulletin Created
For additional security-related information about Microsoft products,
please
visit http://www.microsoft.com/security
- ------------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR
ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(C) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see
http://support.microsoft.com/support/misc/cpyright.asp.
=====================================================
You have received this e-mail bulletin as a result of your
registration
to the Microsoft Product Security Notification Service. You
may
unsubscribe from this e-mail notification service at any time by
sending
an e-mail to
MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private
The subject line and message body are not used in processing the
request,
and can be anything you like.
For more information on the Microsoft Security Notification
Service
please visit http://www.microsoft.com/security/bulletin.htm.
For
security-related information about Microsoft products, please visit
the
Microsoft Security Advisor web site at
http://www.microsoft.com/security.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2
iQCVAwUBNbl1NlTtNfTWxXdNAQEltwP/bf2UwBnu3yFoJGgvk657EjWzXYd4NxLh
4wvpg3QzGpnkyu+792QbFXX3u0odumcL6vhJg8rMiQtZOlFRCyhli4c+kyCxXgTJ
BLxdmWFcEfyF1FqbUZRq9Oq2kQzZVoCZydIRuAnGoMUQALB9H2UTO48twru9EDas
f067bmUQR+U=
=PTs5
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:59 PDT