Security Bulletin

Microsoft Security Bulletin MS01-037 - Critical

Authentication Error in SMTP Service Could Allow Mail Relaying

Published: July 05, 2001 | Updated: June 13, 2003

Version: 1.1

Originally posted: July 05, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin: 
Customers using Microsoft® Windows® 2000.

Impact of vulnerability: 
Mail relaying

Recommendation: 
Customers who need SMTP services should apply the patch; all others should disable the SMTP service.

Affected Software:

  • Microsoft Windows 2000

General Information

Technical details

Technical description:

An SMTP service installs by default as part of Windows 2000 server products, and can be selected for installation on Windows 2000 Professional. A vulnerability results because of a flaw in the authentication process used by the service. The vulnerability could allow an unauthorized user to successfully authenticate to the service using incorrect credentials. An attacker who exploited the vulnerability could gain user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server.

Mitigating factors:

  • Exchange servers -- even when run on Windows 2000 -- are not affected by this vulnerability.
  • Best practices recommend disabling unneeded services. If the SMTP service has been disabled, the vulnerability could not be exploited.
  • The vulnerability only affects stand-alone machines, not domain members.
  • Proper firewalling could prevent Internet-based attacks by blocking port 25 on servers that do not specifically need to accept SMTP traffic.

Vulnerability identifier: CAN-2001-0504

Tested Versions:

Microsoft tested Windows 2000, Windows NT® 4.0, Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This vulnerability could enable an unauthorized user to conduct mail relaying via a Windows 2000 server. This could enable an attacker to disguise the origination point of a mail, or co-opt a server's resources for mass mailings. The vulnerability is subject to several constraints:

  • It would only affect servers running the native Windows 2000 mail service. Mail servers running Exchange, even on Windows 2000, would not be affected.
  • Even a machine that has the native Windows 2000 mail service installed would only be affected if it were configured as a stand-alone machine rather than a member of a domain.
  • Proper firewalling could be used to prevent Internet users from exploiting the vulnerability.

What causes the vulnerability?
The vulnerability results because of an authentication error in the SMTP service that installs as part of IIS. In the case where the server is a stand-alone machine rather than a domain member, it could be possible for an unauthorized user to authenticate to the machine and use it for mail relaying.

What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery of mail via the Internet, defined in RFCs 2821 and 2822. The protocol defines the format of mail messages, the fields in them and their contents, and the handling procedures for mails. An SMTP implementation is provided with Windows 2000, and it installs by default. Microsoft Exchange Server also includes an SMTP service, but the component that performs SMTP authentication is different from the base SMTP Service in Windows 2000 and is not affected by the vulnerability.

What's wrong with the Windows 2000 SMTP service?
By design, a user should have to authenticate to the server before being allowed to use the SMTP service. However, a flaw in the Windows 2000 version of the SMTP service could cause it to accept incorrect authentication information as though it were valid. This could enable an attacker to gain the ability to use the SMTP service without authorization.

What would this enable the attacker to do?
Let's start with what it would not enable an attacker to do. The vulnerability would only confer user-level privileges on the SMTP service to the attacker - it would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands. The vulnerability would enable an attacker to levy mail requests as an authorized user. That is, it would enable the attacker to send or receive mail. The most likely use of this vulnerability would be in performing mail relaying.

What's mail relaying?
Mail relaying is a practice in which e-mail is routed to an intermediate mail server, which then delivers it to the recipient's mail server. Mail relaying is often a legitimate practice. For example, suppose a company with several servers has designated one of them as a mail gateway to the Internet. Any e-mail sent to the company would arrive at the gateway server, then be relayed to the appropriate server for delivery to the recipient. However, malicious users also sometimes try to perform unauthorized mail relaying. For example, a spammer who has a low-end server and a slow network connection might use mail relaying in order to get someone else's higher-powered mail server and fast network connection to send spam on their behalf. Mail relaying also has been misused to disguise the point of origination for an email. For instance, there have been cases in which threatening e-mails were relayed in order to prevent the recipient from being able to trace where they came from.

Are all Windows 2000 servers affected by the vulnerability?
A Windows 2000 server would only be affected by it if the SMTP service is installed and running. This is the default configuration, but Microsoft always recommends reviewing the list of services and disabling any that aren't needed.

If the SMTP service is installed and running, is the server automatically vulnerable?
No. Even if the SMTP service is installed and running, it would only be susceptible to this vulnerability if it were not part of a domain - that is, if it were a stand-alone machine. Domain members are not affected by the vulnerability.

How often are Windows 2000 servers configured as stand-alone machines?
In general, most Windows 2000 servers are configured as domain members, and would therefore not be affected by the vulnerability. However, one category of machines is often configured in a stand-alone, rather than domain member, role -- web servers. Best practices frequently recommend that web servers be configured as stand-alone machines, in order to minimize their utility to an attacker who managed to compromise one. As a result, it's quite possible that a particular Windows 2000 web server would be configured as a stand-alone machine. However, it's reasonable to assume that an administrator who followed best practices in deciding to configure a server as a stand-alone machine would also follow best practices and remove all unneeded services.

Would a firewall protect an affected server?
If a firewall were employed to block port 25, Internet-based users would be unable to reach the SMTP service, even if it was enabled, and would as a result be unable to exploit the vulnerability.

Does the vulnerability affect the SMTP service in Windows NT 4.0?
No. Only the SMTP service that ships with Windows 2000 is affected.

Does the vulnerability affect the SMTP service in Exchange?
Neither Exchange 5.5 nor Exchange 2000 are affected by the vulnerability.

  • Exchange 5.5 installs its own components for providing SMTP services, and these are not affected by the vulnerability.
  • Exchange 2000 uses the Windows 2000 SMTP Service, but replaces the component responsible for SMTP authentication with one that is is not vulnerable. In addition, Exchange 2000 servers must be members of a domain, but this vulnerability only affects standalone machines.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the SMTP service properly authenticates users before allowing them to levy requests on it.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q302755.
  • To verify the individual files, use the date/time and version information provided in the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q302755\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available from the download locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Joao Gouveia for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q302755 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (July 05, 2001): Bulletin Created.
  • V1.1 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00