__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation [MS04-002] January 13, 2004 20:00 GMT Number O-052 ______________________________________________________________________________ PROBLEM: A vulnerability exists in the way that Hypertext Transfer Protocol (HTTP) connections are reused when NTLM authentication is used between front-end Exchange 2003 servers providing OWA access and, when running Outlook Web Access (OWA) on Windows 2000 and Windows Server 2003, and when using back-end Exchange 2003 servers that are running Windows Server 2003. PLATFORM: Microsoft Exchange Server 2003 DAMAGE: This vulnerability causes random and unreliable access to mailboxes and is specifically limited to mailboxes that have recently been accessed through OWA. SOLUTION: Systems administrators should install this security update on all front-end servers that are running Outlook Web Access for Exchange Server 2003. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The attacker would first have to ASSESSMENT: authenticate to an Exchange Server 2003 front-end server and this effects only mailboxes that have recently been accessed through Outlook Web Access using the same pair of front-end and back-end servers. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-052.shtml ORIGINAL BULLETIN: Microsoft Security Bulletin MS04-002 http://www.microsoft.com/technet/treeview/default.asp?url =/technet/security/bulletin/MS04-002.asp CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0904 ______________________________________________________________________________ [***** Start MS04-002 *****] Microsoft Security Bulletin MS04-002 Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759) Issued: January 13, 2004 Version: 1.0 Summary Who should read this document: System administrators who have servers that are running Microsoft® Outlook® Web Access for Microsoft Exchange Server 2003 Impact of vulnerability: Elevation of Privilege Maximum Severity Rating: Moderate Recommendation: System administrators should install this security update on all front-end servers that are running Outlook Web Access for Exchange Server 2003. Microsoft also recommends installing this security update on all other Exchange 2003 servers so that they will be protected if they are later designated as front end servers. Security Update Replacement: None Caveats: Apply the update when a disruption in OWA and Simple Mail Transfer Protocol (SMTP) mail flow and other Internet Information Services (IIS) applications is acceptable. Tested Software and Security Update Download Locations: Affected Software: * Microsoft Exchange Server 2003 - Download the Update Non Affected Software: * Microsoft Exchange 2000 Server * Microsoft Exchange Server 5.5 The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Technical Details Technical description: A vulnerability exists in the way that Hypertext Transfer Protocol (HTTP) connections are reused when NTLM authentication is used between front-end Exchange 2003 servers providing OWA access and , when running Outlook Web Access (OWA) on Windows 2000 and Windows Server 2003, and when using back-end Exchange 2003 servers that are running Windows Server 2003. Users who access their mailboxes through an Exchange 2003 front-end server and Outlook Web Access might get connected to another user's mailbox if that other mailbox is (1) hosted on the same back-end mailbox server and (2) if that mailbox has been recently accessed by its owner. Attackers seeking to exploit this vulnerability could not predict which mailbox they might become connected to. The vulnerability causes random and unreliable access to mailboxes and is specifically limited to mailboxes that have recently been accessed through OWA. By default, Kerberos authentication is used as the HTTP authentication method between Exchange Server 2003 front-end and back-end Exchange servers. This behavior manifests itself only in deployments where OWA is used in an Exchange front-end/back-end server configuration and Kerberos has been disabled as an authentication method for OWA communication between the front-end and back-end Exchange servers. This vulnerability is exposed if the Web site that is running the Exchange Server 2003 programs on the Exchange back-end server has been configured not to negotiate Kerberos authentication, causing OWA to fall back to using NTLM authentication. The only known way that this vulnerability can be exposed is by a change in the default configuration of Internet Information Services 6.0 on the Exchange back-end server. This vulnerability cannot be exposed by a routine fallback to NTLM because of a problem with Kerberos authentication. This configuration change may occur when Microsoft Windows SharePoint Services (WSS) 2.0 is installed on a Windows Server 2003 server that also functions as an Exchange Server 2003 back-end. Mitigating factors: * To exploit this vulnerability, an attacker would first have to authenticate to an Exchange Server 2003 front-end server. * The mailbox that an attacker could get access to is random and not possible to predict. It is also not for certain that they would get connected to another user's mailbox at all. * Only mailboxes that have recently been accessed through Outlook Web Access using the same pair of front-end and back-end servers could be affected. * Exchange 2000 Server and Exchange Server 5.5 are not affected by this vulnerability. * Only deployments that have a front-end server that hosts Outlook Web Access for Exchange 2003 Server, that runs on either Windows 2000 or Windows Server 2003, and that has a back-end Exchange Server 2003 that runs on Windows Server 2003 are affected by this vulnerability. * By default, Kerberos authentication is used for HTTP requests between an Exchange Server 2003 front-end server and an Exchange back end-server. This vulnerability is only exposed if the Web site that is running the Exchange Server 2003 programs on the Exchange back end-server has been configured not to negotiate Kerberos authentication, causing OWA to use NTLM authentication. This configuration change may occur when Microsoft Windows SharePoint Services is installed on a Windows Server 2003 server that also functions as an Exchange Server 2003 back-end. Severity Rating: ******************************************** Microsoft Exchange Server 2003 Moderate ******************************************** The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0904 Workarounds Microsoft has tested the following workarounds that apply to this vulnerability. These workarounds help block known attack vectors. However, they will not correct the underlying vulnerability. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. * Disable HTTP connection reuse on an Exchange Server 2003 front-end server. By default, Exchange Server 2003 reuses HTTP Connections between front-end and back-end servers to gain improved performance. Connection reuse can be turned off on the Exchange front-end server. Doing so could cause some performance degradation, but it is an effective workaround to this vulnerability. After you apply the update to the Exchange Server 2003 front-end server, you can remove this workaround. See Microsoft Knowledge Base Article 832749 for information about how to disable HTTP connection reuse on a Microsoft Exchange Server 2003 front-end server. Impact of workaround: Clients may experience small performance degradation when they use OWA to access their mailboxes. * Enable Kerberos on the virtual server that hosts OWA on the Exchange Server 2003 back-end server. The only known way that this vulnerability can be exposed is if Kerberos is disabled on the Internet Information Services virtual server where Outlook Web Access is hosted on the back-end server. This configuration change may occur when Windows SharePoint Services (WSS) 2.0 is installed on the same virtual server. See Microsoft Knowledge Base Article 832769 for information about how to configure Windows SharePoint Services to use Kerberos authentication. See Microsoft Knowledge Base Article 823265 for information about how to re-enable OWA and other Exchange components after you install Windows SharePoint Services. Impact of workaround: None Security Update Information Installation platforms and Prerequisites: * Exchange Server 2003 (all versions) Obtaining other security updates: Updates for other security issues are available from the following locations: * Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Updates for consumer platforms are available from the WindowsUpdate Web site. Support: * Technical support is available from Microsoft Product Support Services at 1-866- PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. * International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources: * The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. * Microsoft Software Update Services * Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge Base Article 306460 for list of security updates that have detection limitations with the MBSA tool. * Windows Update * Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. * Office Update * Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer. Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 January 13, 2004: Bulletin published [***** End MS04-002 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-042: Red Hat 'lftp' Buffer Overflow Vulnerability O-043: Red Hat Updated Kernel Packages O-044: Sun Security Issue Involving the tcsh(1) ls-F Builtin on Solaris 8 O-045: Red Hat 'mremap()' function Vulnerability O-046: HP 'ypxfrd' daemon Vulnerability O-047: Debian 'nd' WebDAV command line Buffer Overflow Vulnerability O-048: Debian fsp Buffer Overflow Vulnerability O-049: Red Hat Updated CVS Packages Fix Minor Security Issue O-050: Cisco Vulnerabilities in H.322 Message Processing O-051: Microsoft Buffer Overflow in ISA Server 2000