Bugtraq mailing list archives
MS responds to Exchange Server 5.0 POP3 Security problem
From: manleyjw () IMC7 EMS LMCO COM (Manley, Jim W)
Date: Mon, 1 Sep 1997 08:43:54 -0500
From Michael Kaczmarek at Microsoft.
-----Original Message----- Situation: POP3 password issue Yesterday we were alerted to a possible security issue with the Exchange POP service whereby the password of users were supposedly cached for an unlimited period of time. This would allow a user to use any old password, even after it had been changed. This information had been passed to various organizations, such as CERT, and appeared on mailing lists such as the NTBUGTRAQ mailing list. It has also begun to surface in the press, such as an article in Network World. This is really not a security concern. (talking points are below) Status * CERT notified us about the issue and we have worked with them to help them understand it. They agree it does not warrant an advisory because they don't see it as being a real problem. We have provided an indepth description of the issue to them, along with a pointer to the KB. * Exchange Program Management and PSS have talked with the original "finder" of this issue and explained it to him. He has agreed to update his web site to include this information. * An article has appeared on Network World talking about the issue and identifying it as a major security problem, and not identifying any solutions. http://www.nwfusion.com/cgi-bin/gate2?|33cp9kkP://WWW.1WbUegO1.COM/1EW e/36ccMepUG.9kMy3x361WbUegO1cdcds2oNF0wo,wtlKzU,s2oNz022in,g1cgkgVE * Exchange product management has talked with Network World and their article will beupdated today. * A PSS KB article has been completed: Q16620 * A link will be created on www.microsoft.com/security to point to the KB article. Talking points for POP3 passsword caching issue * Microsoft takes security issues very seriously * In the NWW posting there is no general secuirty risk, first a password must be stolen. If a user changes their password, there is a very limited time, during which a cached version of the old encrypted credentials (not the password) can be used (15 minutes by default) up to 2 hours if the session is active. * We have been working with CERT to qualify the scope of this issue * The cache minimimum and maximum values are configurable, so in environments where password stealing may be more prevelent, schools for example, the cache values can be set for local circumstances. * We have worked with the original person who reported this issue, and he has agreed to update his web site. * The standard POP3 protocol, which most POP3 clients use is inherently insecure in that it uses clear-text passwords. The cacheing behavior reported in the NWW article only occurs with clear text authentication. * We encourage users to use a more securie version of POP3 authentication such as NT challenge Response, which is supported by both Exchange Server and Outlook Express 4.0, and any version of Outlook with the current version of the POP3 driver. * The Exchange server supports all 3 authentication mechanisms for POP3 (Basic, SSL, NTLM) * The cache values can be adjusted very easily and can also be disabled. This is documented in Microsoft Knowledgebase article Q166620. * The cache is designed to provide a good tradeoff between performance, security and user convenience. More information Description Exchange Server 5.0 supports a number of native Internet protocols - including SMTP, POP3, NNTP, and LDAP. Of these protocols -- POP3, NNTP and LDAP support authentication, in which the user's logon credentials are validated to determine their access permissions for the desired mailbox, newsgroup, or directory object. Exchange Server 5.0 supports both the strong Windows NT Challenge/Response authentication, which never passes the password across the network, as well as Basic (plain-text password) authentication. Basic authentication can optionally be combined with SSL network session encryption to protect passwords and content against sniffer attacks. All logons are mapped to a Windows NT security account, regardless of the authentication protocol used. Credentials caching is only performed with Basic authentication, not with NT Challenge/Response. With Basic authentication, the user's POP3 client supplies the user's name and password to the Exchange Server over the wire in plain text. This is the standard method of operation for the POP3 protocol. The Exchange Server uses these credentials to create a session "as" the matching NT user. For performance reasons, the server caches these credentials in memory. The design of the cache is that after a user's credentials have been validated, the server saves the credentials (hashed using a secure hash) and their token in memory. Subsequent logons using the same credentials will use this cached token. Each credentials cache entry has a maximum lifetime of (by default) 2 hours, and an "idle" lifetime of 15 minutes. The "idle" lifetime is the lifetime of the credential if the user never logs on again with those credentials, the "maximum" lifetime is the total time a credential will be cached, even if the session is active, before being revalidated. Impact Most users will not be affected by this issue. For some environments this behavior represents a relatively minor risk. If a user discovers that their password has been compromised and changes their password, there is an additional window of time (around 15 minutes if the session is idle) where an attacker could still use the compromised password to access mail or newsgroups via POP3 or NNTP. Workaround Most users will not need to implement any changes to their environment. Users who need additional assurances can change the registry parameters indicated above to smaller values that are acceptable in their environment. Setting the credentials cache size to 0 will cause a new authentication to be performed for every POP3 session. Because of the nature of POP3 sessions, which are often short and bursty, the tradeoff for disabling credential caching is a potential reduction in performance. Performance will be affected depending on the number of POP3 users on your system, the frequency with which they check mail, and the location and load of your Windows NT Domain Controllers. Setting the cache to zero is not recommended for most environments. (See the KB article Q166620 for more information.) Another more secure option is to use mail clients that support native Windows NT Challenge/Response authentication, rather than plain-text authentication, Microsoft Outlok and Outlook Express both support NT Challenge/Response authentication. Microsoft Plans Microsoft has no plans to change this default behavior. We believe the values of 15 minutes for Idle Limit 120 minutes for connection Age Limit and are reasonable defaults. Nonetheless we are making customers aware of these settings, and providing information about how these setting can be modified to meet their organizational needs. This is already documented in a Microsoft KnowledgeBase article Q166620
Current thread:
- Pine's re-occuring nightmare jericho () DIMENSIONAL COM (Sep 01)
- MS responds to Exchange Server 5.0 POP3 Security problem Manley, Jim W (Sep 01)
- Re: Pine's re-occuring nightmare Mark Crispin (Sep 01)
- HP UX Bug :) Leonid S Knyshov (Sep 01)
- Re: HP UX Bug :) Brian Mitchell (Sep 02)
- in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
- You can find jizz.c here T o r g (Sep 03)
- You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
- [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
- Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
- [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
- Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
(Thread continues...)