Microsoft Security Bulletin MS02-011

Technical description:

Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Windows NT Server 4.0 Server Option Pack. Microsoft has updated the bulletin with additional information about Windows NT Server 4.0 Option Pack and Exchange Server 5.0 and also to direct users to a security update for Windows NT Server 4.0.

An SMTP service installs by default as part of Windows 2000 server products. There is no default SMTP service for Windows NT Server 4.0, but you may install an SMTP service as part of the Windows NT 4 Option Pack. An SMTP server is part of the Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5 and Exchange Server 5.0. (The IMC, also known as the Microsoft Exchange Internet Mail Service, provides access and message exchange to and from any system that uses SMTP). A vulnerability results in the Windows and Exchange 5.5 services because of a flaw in the way they handle a valid response from the NTLM authentication layer of the underlying operating system. The Exchange 5.0 IMC does not support allowing or disallowing mail relay based on authentication, and therefore this issue does not apply to Exchange 5.0. If you are an Exchange 5.0 administrator, refer to the "Frequently Asked Questions" section of this bulletin for general information on securing an Exchange 5.0 server against malicious mail relay.

By design, the Windows 2000 and the Windows NT Server 4.0 SMTP service as well as the Exchange Server 5.5 IMC, upon receiving notification from the NTLM authentication layer that a user has been authenticated, perform additional checks before allowing the user to relay mail through the service. The vulnerability results because the affected services don't perform this additional checking correctly. In some cases, this could result in the SMTP service granting access to a user solely on the basis of their ability to successfully authenticate to the server.

An attacker who exploited the vulnerability could gain only user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server.

Mitigating factors:

• Exchange 2000 servers are not affected by the vulnerability because they correctly handle the authentication process to the SMTP service.
• The vulnerability would not enable the attacker to read other users' email, nor to send mail as other users.
• Best practices recommend disabling unneeded services. If the SMTP service has been disabled, the mail relaying vulnerability could not be exploited.
• The vulnerability would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands.

Severity Rating: Low

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. An attacker could only relay mail and would not be able to read mail, gain system privileges or run programs.

Vulnerability identifier: CAN-2002-0054

Tested Versions:

Microsoft tested Windows 2000, Windows NT 4.0 Option Pack SMTP service, Exchange Server 5.5, Exchange Server 5.0 and Exchange Server 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why is Microsoft reissuing this bulletin?
Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Windows NT Server 4.0 Option Pack. Microsoft has updated the bulletin with additional information about Windows NT Server 4.0 and Exchange Server 5.0 and also to direct users to an update for Windows NT Server 4.0.

What's the scope of the vulnerability?
This vulnerability could enable an unauthorized user to consume resources of a mail server without authorization. This could enable an attacker to disguise the origination point of a mail, or co-opt a server's resources for mass mailings.
This vulnerability is subject to constraints:

• It would only affect servers running the Exchange Server 5.5 Internet Mail Connector service, the native Windows 2000 SMTP service or the native Windows NT Server 4.0 SMTP Service.
• It would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands.
• Mail servers running Exchange 2000 are not be affected by this vulnerability.

What causes the vulnerability?
The vulnerability results because of an authentication error affecting the SMTP service in Windows 2000, Windows NT Server 4.0, and the Exchange Server 5.5 Internet Mail Connector. These services should perform additional checking before granting mail privileges to a user who has authenticated to the server; however, they do not do so correctly.

What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery of mail via the Internet, defined in RFCs 2821 and 2822 . The protocol defines the format of mail messages, the fields in them and their contents, and the handling procedures for mails. An SMTP service is provided with Windows 2000 and installs by default on server products.

What is the Exchange 5.5 Internet Mail Connector?
The Internet Mail Connector (IMC) is the component in Exchange Server 5.5 that allows mail to be sent to and received from other servers that use SMTP. It installs by default as part of Exchange Server 5.5, and is also sometimes referred to as the Exchange Server 5.5 Internet Mail Service.

What's wrong with the Windows 2000 SMTP service, Windows NT Server 4.0 SMTP service and Exchange Server 5.5 IMC? 
Before a user can make use of a mail service, they first must authenticate to the server. But even if this is done successfully, the mail services themselves should perform additional checking to ensure that it's appropriate to let the user access them. The Windows 2000 SMTP service, Windows NT Server 4.0 SMTP Service, and Exchange Server 5.5 IMC do not perform this additional checking correctly. The result is that a user who could successfully authenticate to the server would always have the ability to use the mail services, even if it's not appropriate.

What would this enable the attacker to do?
The vulnerability would enable an attacker to levy mail requests as an authorized user. That is, it would enable the attacker to send mail. The most likely use of this vulnerability would be in performing mail relaying.

What's mail relaying?
Mail relaying is a practice in which e-mail is routed to an intermediate mail server, which then delivers it to the recipient's mail server. Mail relaying is often a legitimate practice. For example, suppose a company with several servers has designated one of them as a mail gateway to the Internet. Any e-mail sent to the company would arrive at the gateway server, and then be relayed to the appropriate server for delivery to the recipient.
However, malicious users also sometimes try to perform unauthorized mail relaying. For example, a spammer who has a low-end server and a slow network connection might use mail relaying in order to get someone else's higher-powered mail server and fast network connection to send spam on their behalf. Mail relaying also has been misused to disguise the point of origination for an email.

Would the vulnerability allow the attacker to take any other actions on the server? 
The vulnerability would only confer user-level privileges on the SMTP service to the attacker - it would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands, nor would it allow the attacker to read, create, or send other users' mail.

Does this affect all Windows 2000 servers?
A Windows 2000 server would only be affected by it if the SMTP service is installed and running. This is the default configuration; however Microsoft always recommends reviewing the list of services and disabling any that aren't needed.

Does this affect all Windows NT Server 4.0 servers?

A Windows NT Server 4.0 server would only be affected by it if the SMTP service is installed and running. This is the default configuration if the NT Server 4.0 Option pack has been applied; however Microsoft always recommends reviewing the list of services and disabling any that aren't needed.

Does this affect all Exchange 5.0 servers?

No, because Exchange 5.0 servers do not support allowing or disallowing mail relay based on authentication. You cannot prevent unauthenticated users from relaying mail without disabling this capability for authenticated users too.

In Exchange 5.5, new functionality was added to enable SMTP routing for authenticated connections only, while disabling it for other connections. This new capability had the effect of turning on SMTP routing for authenticated users and turning it off for everyone else.

How then can I protect my Exchange 5.0 server?

Microsoft recommends that you do not connect an Exchange 5.0 Internet Mail Connector directly to the Internet unless you disable SMTP routing. To disable SMTP routing, use Exchange Administrator to select "Do not re-route incoming SMTP mail" on the properties of the Internet Mail Connector object.

If you turn off SMTP routing, this means that clients who connect to your Exchange server through the POP3 or IMAP4 protocols will be unable to send email using their SMTP server except to other users in your own SMTP domain. This would include all Outlook Express clients. Clients who use the MAPI protocol (Outlook users) will not be affected.

Does this vulnerability affect Windows XP Professional?
Windows XP Professional was tested and is not affected by this vulnerability.

I'm running Exchange Server 5.5 on a Windows 2000 system. Should I apply the Windows 2000 patch or the Exchange Server 5.5. patch?
Administrators of Exchange 5.5 only need apply the latest IMC patch described below. It is not necessary to apply the Windows 2000 patch.

I'm running Exchange 2000 Server. Do I need a patch?
No. Even though Exchange 2000 Server can be installed on a Windows 2000 server (and indeed, it is the only system it can be installed on), Exchange 2000 Server is not affected by this vulnerability. Exchange 2000 Server installs components that perform the additional checking correctly.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the SMTP service properly authenticates users before allowing them to levy requests on it.

Is there a single Windows 2000 patch for MS02-011 and MS02-12?
Yes, the Windows 2000 patch for both MS02-011 and MS02-012 are the same.

Download locations for this patch

• Windows 2000 Server, Professional and Advanced Server:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=427A3B0A-FF47-4684-8AA3-127EB19EB848&displaylang=en

• Windows NT Server 4.0:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=457C0C18-8C3E-4923-B395-614C117F13C5&displaylang=en

• Exchange Server 5.5:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=A9E872EA-54B0-4179-8AE9-5648BFB46459&displaylang=en

• Windows 2000 Datacenter Server:

  Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.