Security Bulletin
Microsoft Security Bulletin MS98-007 - Important
Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Microsoft Exchange Server
Published: July 24, 1998 | Updated: March 10, 2003
Version: 2.0
Patch Availability Information Updated: Marc 10, 2003
Last Revision: September 9, 1998
Summary
Microsoft was recently alerted by Internet Security Systems, Inc.'s X-Force team of an issue with the way Microsoft® Exchange Server 5.5 and 5.0 process certain SMTP and NNTP protocol commands. By exploiting this vulnerability, a malicious attacker could cause specific Exchange services to stop responding. This issue does not affect Exchange Server 4.0.
This issue involves a denial of service vulnerability that can potentially be used by someone with malicious intent to unexpectedly cause multiple components of the Microsoft Exchange Server to stop. It cannot be used to crash the underlying operating system, or affect other non-Exchange components on the system.
The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers.
Issue
For SMTP protocol:
If a malicious attacker connects to a Microsoft Exchange Server running the Internet Mail Service (TCP/IP port 25) and issues certain sequences of incorrect data, an application error could occur causing the Internet Mail Service to stop responding. This will not directly affect other Exchange-related services.
If the Internet Mail Service fails due to this attack using the SMTP protocol, it can simply be restarted. It does not require a reboot of the operating system.
For NNTP protocol:
If a malicious attacker connects to a Microsoft Exchange Server running the NNTP Service (TCP/IP port 119) and issues certain sequences of incorrect data, an application error could occur causing the Server Information Store to stop responding. If the Exchange Information Store stops responding, it could also cause other Exchange services to fail as well. It would also cause user attempts to connect to their folders on the mail server to fail.
If Exchange Information Store fails due to an attack using the NNTP protocol, the affected services can simply be re-started. It does not require a reboot of the operating system. No existing mail or news articles on the server will be lost. Any active user sessions that were committed when the shutdown occurred will be preserved. However, incomplete transactions may be lost, depending on what client software is used. Users may have to re-type mail or articles that were under composition (if they did not have AutoSave enabled in their mail client, or had not manually saved a Draft copy).
Affected Software Versions
- Microsoft Exchange Server, version 5.5
- Microsoft Exchange Server, version 5.0 (including 5.0 Service Pack 1 and 2)
Vulnerability Identifier: CAN-1999-1043
What Microsoft Is Doing
The Microsoft Exchange team has produced hotfixes for Microsoft Exchange Server versions 5.5 and 5.0.
What Customers Should Do
Microsoft strongly recommends that customers running Microsoft Exchange Server version 5.5 install Service Pack 1, which includes these hotfixes. For customers running Microsoft Exchange Server version 5.0, separate hotfixes are available at the location below:
Exchange Server 5.0 ALL LANGUAGES:
For Exchange Server 5.5 Service Pack 1, note that the following downloads may be labeled as being "40-bit security" versions. This only applies to the CLIENT subdirectory within, since only that subdirectory contains export-restricted encryption code. The SERVER subdirectory for each of these languages contains no export-restricted encryption code, and is therefore the same worldwide.
Exchange Server 5.5 Service Pack 1 - ENGLISH:
- </https:>https:
Exchange Server 5.5 Service Pack 1 - FRENCH:
</https:>https:
Exchange Server 5.5 Service Pack 1 - GERMAN:
</https:>https:
Exchange Server 5.5 Service Pack 1 - JAPANESE:
</https:>https:
Microsoft Exchange 4.0 is not affected.
Administrative Workaround
Customers who cannot apply the hotfix can use the following workaround to temporarily address this issue:
- In the event that such an attack causes one or more services to stop, the service failure can be detected by the Server Monitor feature of Microsoft Exchange Server Administrator. The Server Monitor can be configured to automatically restart the affected Exchange services if they unexpectedly stop, reducing the impact of the service failure.
More Information
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin 98-007, Potential SMTP and NNTP Denial-of-Service Vulnerabilities in Exchange Server (the Web posted version of this bulletin), https://www.microsoft.com/technet/security/bulletin/ms98-007.mspx
- Microsoft Knowledge Base (KB) article 188341, XFOR: AUTH/EHLO Commands Cause Internet Mail Service to Stop, </https:>https:
- Microsoft Knowledge Base (KB) article 188369, XADM: AUTHINFO Command Causes Information Store Problems, </https:>https:
- Microsoft Exchange Web site, </https:>https:
Revisions
- July 24, 1998: Bulletin Created
- September 9, 1998: Updated to include information about Exchange 5.5 SP1
- V2.0 (March 10, 2003): Introduced versioning and updated patch availability information
For additional security-related information about Microsoft products, please visit https://www.microsoft.com/technet/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00 </https:>