What's the scope of the vulnerability?
This vulnerability could enable an unauthorized user to conduct mail relaying via a Windows 2000 server. This could enable an attacker to disguise the origination point of a mail, or co-opt a server's resources for mass mailings. The vulnerability is subject to several constraints:
- It would only affect servers running the native Windows 2000 mail service. Mail servers running Exchange, even on Windows 2000, would not be affected.
- Even a machine that has the native Windows 2000 mail service installed would only be affected if it were configured as a stand-alone machine rather than a member of a domain.
- Proper firewalling could be used to prevent Internet users from exploiting the vulnerability.
What causes the vulnerability?
The vulnerability results because of an authentication error in the SMTP service that installs as part of IIS. In the case where the server is a stand-alone machine rather than a domain member, it could be possible for an unauthorized user to authenticate to the machine and use it for mail relaying.
What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery of mail via the Internet, defined in RFCs 2821 and 2822. The protocol defines the format of mail messages, the fields in them and their contents, and the handling procedures for mails.
An SMTP implementation is provided with Windows 2000, and it installs by default. Microsoft Exchange Server also includes an SMTP service, but the component that performs SMTP authentication is different from the base SMTP Service in Windows 2000 and is not affected by the vulnerability.
What's wrong with the Windows 2000 SMTP service?
By design, a user should have to authenticate to the server before being allowed to use the SMTP service. However, a flaw in the Windows 2000 version of the SMTP service could cause it to accept incorrect authentication information as though it were valid. This could enable an attacker to gain the ability to use the SMTP service without authorization.
What would this enable the attacker to do?
Let's start with what it would not enable an attacker to do. The vulnerability would only confer user-level privileges on the SMTP service to the attacker - it would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands.
The vulnerability would enable an attacker to levy mail requests as an authorized user. That is, it would enable the attacker to send or receive mail. The most likely use of this vulnerability would be in performing mail relaying.
What's mail relaying?
Mail relaying is a practice in which e-mail is routed to an intermediate mail server, which then delivers it to the recipient's mail server. Mail relaying is often a legitimate practice. For example, suppose a company with several servers has designated one of them as a mail gateway to the Internet. Any e-mail sent to the company would arrive at the gateway server, then be relayed to the appropriate server for delivery to the recipient.
However, malicious users also sometimes try to perform unauthorized mail relaying. For example, a spammer who has a low-end server and a slow network connection might use mail relaying in order to get someone else's higher-powered mail server and fast network connection to send spam on their behalf. Mail relaying also has been misused to disguise the point of origination for an email. For instance, there have been cases in which threatening e-mails were relayed in order to prevent the recipient from being able to trace where they came from.
Are all Windows 2000 servers affected by the vulnerability?
A Windows 2000 server would only be affected by it if the SMTP service is installed and running. This is the default configuration, but Microsoft always recommends reviewing the list of services and disabling any that aren't needed.
If the SMTP service is installed and running, is the server automatically vulnerable?
No. Even if the SMTP service is installed and running, it would only be susceptible to this vulnerability if it were not part of a domain - that is, if it were a stand-alone machine. Domain members are not affected by the vulnerability.
How often are Windows 2000 servers configured as stand-alone machines?
In general, most Windows 2000 servers are configured as domain members, and would therefore not be affected by the vulnerability. However, one category of machines is often configured in a stand-alone, rather than domain member, role -- web servers.
Best practices frequently recommend that web servers be configured as stand-alone machines, in order to minimize their utility to an attacker who managed to compromise one. As a result, it's quite possible that a particular Windows 2000 web server would be configured as a stand-alone machine. However, it's reasonable to assume that an administrator who followed best practices in deciding to configure a server as a stand-alone machine would also follow best practices and remove all unneeded services.
Would a firewall protect an affected server?
If a firewall were employed to block port 25, Internet-based users would be unable to reach the SMTP service, even if it was enabled, and would as a result be unable to exploit the vulnerability.
Does the vulnerability affect the SMTP service in Windows NT 4.0?
No. Only the SMTP service that ships with Windows 2000 is affected.
Does the vulnerability affect the SMTP service in Exchange?
Neither Exchange 5.5 nor Exchange 2000 are affected by the vulnerability.
- Exchange 5.5 installs its own components for providing SMTP services, and these are not affected by the vulnerability.
- Exchange 2000 uses the Windows 2000 SMTP Service, but replaces the component responsible for SMTP authentication with one that is is not vulnerable. In addition, Exchange 2000 servers must be members of a domain, but this vulnerability only affects standalone machines.
What does the patch do?
The patch eliminates the vulnerability by ensuring that the SMTP service properly authenticates users before allowing them to levy requests on it.
