Microsoft Security Bulletin (MS98-007)

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Date: Fri, 24 Jul 1998 22:46:55 -0700
From: Microsoft Product Security Response Team <secure () MICROSOFT COM>
To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
Subject: Microsoft Security Bulletin (MS98-007)

Microsoft Security Bulletin (MS98-007)

------------------------------------------------------------------------

Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Exchange Server


Last Revision: July 24, 1998

Summary
=======

Microsoft was recently alerted by Internet Security Systems, Inc.'s X-Force
team (http://www.iss.net) of an issue with the way Microsoft(R) Exchange
Server 5.5 and 5.0 process certain SMTP and NNTP protocol commands. By
exploiting this vulnerability, a malicious attacker could cause specific
Exchange services to stop responding. This issue does not affect Exchange
Server 4.0.

This issue involves a denial of service vulnerability that can potentially
be used by someone with malicious intent to unexpectedly cause multiple
components of the Microsoft Exchange Server to stop. It cannot be used to
crash the underlying operating system, or affect other non-Exchange
components on the system.

The purpose of this bulletin is to inform Microsoft customers of this issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further secure its customers.

Issue
=====

For SMTP protocol:
------------------
If a malicious attacker connects to a Microsoft Exchange Server running the
Internet Mail Service (TCP/IP port 25) and issues certain sequences of
incorrect data, an application error could occur causing the Internet Mail
Service to stop responding. This will not directly affect other
Exchange-related services.

If the Internet Mail Service fails due to this attack using the SMTP
protocol, it can simply be restarted. It does not require a reboot of the
operating system.

For NNTP protocol:
------------------
If a malicious attacker connects to a Microsoft Exchange Server running the
NNTP Service (TCP/IP port 119) and issues certain sequences of incorrect
data, an application error could occur causing the Server Information Store
to stop responding. If the Exchange Information Store stops responding, it
could cause other Exchange services to fail as well. It would also cause
user attempts to connect to their folders on the mail server to fail.

If Exchange Information Store fails due to an attack using the NNTP
protocol, the affected services can simply be re-started. It does not
require a reboot of the operating system. No existing mail or news articles
on the server will be lost. Any active user sessions that were committed
when the shutdown occurred will be preserved. However, incomplete
transactions may be lost, depending on what client software is used. Users
may have to re-type mail or articles that were under composition (if they
did not have AutoSave enabled in their mail client, or had not manually
saved a Draft copy).

Affected Software Versions
==========================
 - Microsoft Exchange Server, version 5.5
 - Microsoft Exchange Server, version 5.0 (including 5.0 Service
   Pack 1 and 2)

What Microsoft is Doing
=======================
The Microsoft Exchange team has produced hotfixes for Microsoft Exchange
Server versions 5.5 and 5.0.

What customers should do
========================
Microsoft strongly recommends that customers running Microsoft Exchange
Server version 5.5 or 5.0 should install the appropriate hotfixes. These
hotfixes are currently available at the following
locations.  Please note that the URLs have been wrapped for readability.

Exchange Server 5.0 ALL LANGUAGES:
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Eng/Exchg5.0/Post-SP2-STORE/
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Eng/Exchg5.0/Post-SP2-IMS/

Exchange Server 5.5 ENGLISH:
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Eng/Exchg5.5/PostRTM/STORE-FIX
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Eng/Exchg5.5/PostRTM/IMS-FIX

Exchange Server 5.5 FRENCH:
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Frn/Exchg5.5/PostRTM/STORE-FIX
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Frn/Exchg5.5/PostRTM/IMS-FIX

Exchange Server 5.5 GERMAN:
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Ger/Exchg5.5/PostRTM/STORE-FIX
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Ger/Exchg5.5/PostRTM/IMS-FIX

Exchange Server 5.5 JAPANESE:
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Jpn/Exchg5.5/PostRTM/STORE-FIX
   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/
   Jpn/Exchg5.5/PostRTM/IMS-FIX

Microsoft Exchange 4.0 is not affected.

Administrative workaround
=========================
Customers who cannot apply the hotfix can use the following workaround to
temporarily address this issue:

In the event that such an attack causes one or more services to stop, the
service failure can be detected by the Server Monitor feature of Microsoft
Exchange Server Administrator. The Server Monitor can be configured to
automatically restart the affected Exchange services if they unexpectedly
stop, reducing the impact of the service failure.

More Information
================
Please see the following references for more information related to this
issue.

 - Microsoft Security Bulletin MS98-007, Potential SMTP and NNTP
   Denial-of-Service Vulnerabilities in Exchange Server (the web-posted
   version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-007.htm
 - Microsoft Knowledge Base (KB) article Q188341, XFOR: AUTH/EHLO
   Commands Cause Internet Mail Service to Stop,
   http://support.microsoft.com/support/kb/articles/q188/3/41.asp
 - Microsoft Knowledge Base (KB) article Q188369, XADM: AUTHINFO
   Command Causes Information Store Problems,
   http://support.microsoft.com/support/kb/articles/q188/3/69.asp
 - Microsoft Exchange web site, http://www.microsoft.com/exchange

Revisions
=========
 - July 24, 1998: Bulletin Created

For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security

------------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(C) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.