What's this bulletin about?
Microsoft Security Bulletin MS00-088 announces the availability of manual procedure and tool that eliminates a potential vulnerability in Microsoft® Exchange 2000 Server and Exchange 2000 Enterprise Server. The vulnerability could be used to gain access to a network that contains an Exchange 2000 server. Microsoft is committed to protecting customers' information, and is providing this bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could enable a malicious user to log onto an Exchange 2000 Server via a user account created during setup. The specific capabilities the malicious user would gain access to would depend on the type of Windows 2000 Server on which Exchange is installed. If Exchange has been installed on a member server, the malicious user would only gain user privileges on that machine. He or she could take a variety of actions, including loading and running code of their choice on the specific server that has been compromised. If Exchange has been installed on a domain controller, the malicious user would gain domain user privileges. This would enable them to access other network resources and potentially cause further damage.
Best practices strongly recommend against installing Exchange - or any other applications - on a domain controller. Customers who have followed this recommendation would be at significantly less risk from this vulnerability. Regardless of whether Exchange is installed on a member server or domain controller, the user account at issue is an unprivileged one, and does not have access to Exchange 2000 data or the ability to perform administrative actions. Nevertheless, even these user privileges on a server can enable a malicious user to cause significant damage, and could provide a beachhead from which to launch additional attacks.
What causes the vulnerability?
The vulnerability results because a user account is created during setup of Exchange 2000 with a known username and password.
What account is created, and what purpose does it serve?
The user account EUSR_EXSTOREEVENT was created to facilitate the processing of workflow and other event scripts. Exchange 2000 supports running these scripts under the Windows system account, and as a result, this account is no longer required.
If the account isn't required, why was it created?
This type of user account was used in previous versions of Exchange. The account did not pose a security risk in those versions because it did not use a known username or password. This account was included in Exchange 2000 during the beta program while the current method of handling workflow and event scripts was developed. It was intended to be removed from the final shipping product; however, due to a production error, it was not actually removed from some early shipments.
Does this vulnerability affect Exchange 5.5?
No. This account only exists under Exchange 2000.
Is the EUSR_EXSTOREEVENT account highly privileged?
No. It has privileges that match those of a normal user. It does not have administrative privileges of any kind, nor any access to Exchange data.
Is EUSR_EXSTOREEVENT a local or domain account?
It's a local account. This means that in the vast majority of cases, it has no privileges whatsoever on the domain. However, there is one exception to this. If Exchange is installed on a domain controller, the account would be a domain account - because, by definition, all local accounts on domain controllers are in fact domain accounts.
How could a malicious user gain access to the account?
If the malicious user learned the username and password, she could simply login remotely to an Exchange Server.
Why can't I just disable the account?
You can. In fact, as discussed below, that's one simple way to eliminate the vulnerability.
Suppose Exchange were installed on a member server. What could the malicious user do if he exploited this vulnerability?
It's easier to start with what the malicious user could not do. The EUSR_EXSTOREEVENT account does not have administrative privileges, so the malicious user could not run tools or access files that are restricted to administrators. For instance, he or she could not change the security configuration of the machine, create new users on the machine or read Exchange 2000 data.
However, he or she could access any file that granted read, write or execute permissions to normal users, and could execute many operating system commands. Most importantly, he or she could load additional software onto the machine and run it, in an effort to gain additional privileges via other vulnerabilities.
Suppose Exchange were installed on a domain controller. What could the malicious user do if he exploited this vulnerability?
The malicious user's privileges would remain basically the same, except that he or she would now be a domain user rather than a local user. This means that he or she could access any resources, within a domain, that gave rights to members of the Domain Users group.
How common is it for Exchange to be deployed on a domain controller?
Microsoft recommends that a Domain Controller only be used to validate login requests. Other applications or services should be installed on member servers, however, we do understand that certain customers, particularly small to medium sized businesses, may run Exchange 2000 on a domain controller. As a result, we are providing the procedures and tool to cover all deployment scenarios.
Will a fix be included in Service Pack 1 for Exchange 2000?
Yes. A fix will be included in SP1 for Exchange 2000 and customers who deploy Exchange 2000 with SP1 will not need to use the procedure or tool in this bulletin.
How do I identify if my copy of Exchange 2000 is affected?
Use this table to determine whether you have an affected version:
| |
|---|
| Existing Installations | Check for the existence of the EUSR_EXSTOREEVENT account. If it exists, take the appropriate action documented in this bulletin and KB article. |
| New Installations | The following Exchange 2000 installation media are affected by this vulnerability:- Exchange 2000 Server CDs without "Rev A" printed on the CD on the line below the Part No. (see upper right quadrant)
- Exchange 2000 Enterprise Server CDs without "Rev A" printed on the CD below the Part No. (see upper right quadrant)
- Exchange 2000 Server and Exchange 2000 Enterprise Server included with the October 2000 Select CD shipment
For any Exchange 2000 evaluation edition and as another method to test for this vulnerability -- please use the filever.exe tool, available with Exchange 2000, to check the version of exsetdata.dll. If the version is equal to 6.0.4417.5, then you are affected by the vulnerability. Example of filever.exe usage:
<CD drive>\SUPPORT\UTILS\I386>filever \setup\i386\exsetdata.dll
If the resulting output contains the following version number (see bolded text below), then you are affected by this vulnerability. -r--- W32i DLL ENU 6.0.4417.5 shp 2,507,024 08-16-2000 exsetdata.dll
|
I know I'm affected what does the tool do?
The tool will search for the existence of the EUSR_EXSTOREEVENT account and delete it. The tool MUST be run on all Exchange 2000 machines from a Windows 2000 Administrator account.
What is the manual procedure?
Customers with Exchange 2000 currently installed:
- Delete the EUSR_EXSTOREEVENT account (OR) if in use
- Change the password
Customers who have not deployed Exchange 2000:
- Prior to installation manually create and disable EUSR_EXSTOREEVENT (AND)
- Delete the account after setup is completed
Where can I get the tool?
The download location for the tool is provided in the "Patch Availability" section of the security bulletin .
How do I use the tool?
Knowledge Base article Q278523 contains detailed instructions for applying the workaround or running the tool.
How can I tell if I ran the tool or followed the procedure correctly?
Knowledge Base article Q278523 provides details about the manual procedure and how to run the tool.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued Knowledge Base article Q278523 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
