MS responds to Exchange Server 5.0 POP3 Security problem

[manleyjw () IMC7 EMS LMCO COM (Manley, Jim W)]

> From Michael Kaczmarek at Microsoft.

> -----Original Message-----
> Situation: POP3 password issue
>               Yesterday we were alerted to a possible security issue
> with the Exchange POP service whereby the password of users were
> supposedly cached for an unlimited period of time. This would allow a
> user to use any old password, even after it had been changed. This
> information had been passed to various organizations, such as CERT,
> and appeared on mailing lists such as the NTBUGTRAQ mailing list. It
> has also begun to surface in the press, such as an article in Network
> World.
>
>               This is really not a security concern. (talking points
> are below)
>
> Status
> *     CERT notified us about the issue and we have worked with them to
> help them understand it. They agree it does not warrant an advisory
> because they don't see it as being a real problem. We have provided an
> indepth description of the issue to them, along with a pointer to the
> KB.
> *     Exchange Program Management and PSS have talked with the
> original "finder" of this issue and explained it to him. He has agreed
> to update his web site to include this information.
> *     An article has appeared on Network World talking about the issue
> and identifying it as a major security problem, and not identifying
> any solutions.
> http://www.nwfusion.com/cgi-bin/gate2?|33cp9kkP://WWW.1WbUegO1.COM/1EW
> e/36ccMepUG.9kMy3x361WbUegO1cdcds2oNF0wo,wtlKzU,s2oNz022in,g1cgkgVE
> *     Exchange product management has talked with Network World and
> their article will beupdated today.
> *     A PSS KB article has been completed: Q16620
> *     A link will be created on www.microsoft.com/security to point to
> the KB article.
>
>
> Talking points for POP3 passsword caching issue
> *     Microsoft takes security issues very seriously
> *     In the NWW posting there is no general secuirty risk, first a
> password must be stolen.   If a user changes their password, there is
> a very limited time, during which a cached version of the old
> encrypted credentials (not the password) can be used (15 minutes by
> default) up to 2 hours if the session is active.
> *     We have been working with CERT to qualify the scope of this
> issue
> *     The cache minimimum and maximum values are configurable, so in
> environments where password stealing may be more prevelent, schools
> for example, the cache values can be set for local circumstances.
> *     We have worked with the original person who reported this issue,
> and  he has agreed to update his web site.
> *     The standard POP3 protocol, which most POP3 clients use is
> inherently insecure in that it uses clear-text passwords.  The
> cacheing behavior reported in the NWW article only occurs with clear
> text authentication.
> *     We encourage users to use a more securie version of POP3
> authentication such as NT challenge Response, which is supported by
> both Exchange Server and  Outlook Express 4.0, and any version of
> Outlook with the current version of the POP3 driver.
> *     The Exchange server supports all 3 authentication mechanisms for
> POP3 (Basic, SSL, NTLM)
> *     The cache values can be adjusted very easily and can also be
> disabled. This is documented in Microsoft Knowledgebase article
> Q166620.
> *     The cache is designed to provide a good tradeoff between
> performance, security and user convenience.
>
> More information
>               Description
>               Exchange Server 5.0 supports a number of native Internet
> protocols - including SMTP, POP3, NNTP, and LDAP. Of these protocols
> -- POP3, NNTP and LDAP support authentication, in which the user's
> logon credentials are validated to determine their access permissions
> for the desired mailbox, newsgroup, or directory object. Exchange
> Server 5.0 supports both the strong Windows NT Challenge/Response
> authentication, which never passes the password across the network, as
> well as Basic (plain-text password) authentication. Basic
> authentication can optionally be combined with SSL network session
> encryption to protect passwords and content against sniffer attacks.
> All logons are mapped to a Windows NT security account, regardless of
> the authentication protocol used.
>
>               Credentials caching is only performed with Basic
> authentication, not with NT Challenge/Response. With Basic
> authentication, the user's POP3 client supplies the user's name and
> password to the Exchange Server over the wire in plain text. This is
> the standard method of operation for the POP3 protocol. The Exchange
> Server uses these credentials to create a session "as" the matching NT
> user. For performance reasons, the server caches these credentials in
> memory.
>
>               The design of the cache is that after a user's
> credentials have been validated, the server saves the credentials
> (hashed using a secure hash) and their token in memory. Subsequent
> logons using the same credentials will use this cached token. Each
> credentials cache entry has a maximum lifetime of (by default) 2
> hours, and an "idle" lifetime of 15 minutes.
>
>               The "idle" lifetime is the lifetime of the credential if
> the user never logs on again with those credentials, the "maximum"
> lifetime is the total time a credential will be cached, even if the
> session is active, before being revalidated.
>
>               Impact
>               Most users will not be affected by this issue. For some
> environments this behavior represents a relatively minor risk. If a
> user discovers that their password has been compromised and changes
> their password, there is an additional window of time (around 15
> minutes if the session is idle) where an attacker could still use the
> compromised password to access mail or newsgroups via POP3 or NNTP.
>
>               Workaround
>               Most users will not need to implement any changes to
> their environment. Users who need additional assurances can change the
> registry parameters indicated above to smaller values that are
> acceptable in their environment. Setting the credentials cache size to
> 0 will cause a new authentication to be performed for every POP3
> session. Because of the nature of POP3 sessions, which are often short
> and bursty, the tradeoff for disabling credential caching is a
> potential reduction in performance. Performance will be affected
> depending on the number of POP3 users on your system, the frequency
> with which they check mail, and the location and load of your Windows
> NT Domain Controllers. Setting the cache to zero is not recommended
> for most environments. (See the KB article Q166620 for more
> information.)
>
>               Another more secure option is to use mail clients that
> support native Windows NT Challenge/Response authentication, rather
> than plain-text authentication, Microsoft Outlok and Outlook Express
> both support NT Challenge/Response authentication.
>
>               Microsoft Plans
>               Microsoft has no plans to change this default behavior.
> We believe the values of 15 minutes for Idle Limit 120 minutes for
> connection Age Limit and are reasonable defaults. Nonetheless we are
> making customers aware of these settings, and providing information
> about how these setting can be modified to meet their organizational
> needs. This is already documented in a Microsoft KnowledgeBase article
> Q166620