COMMAND
MS Exchange
SYSTEMS AFFECTED
Win NT running MSE 5.0
PROBLEM
Rajiv Pant found fillowing. MS Exchange Server 5.0 POP3 Service
has password caching problem. It was found the following problem.
The bug (as an example): Create a user xyz on your NT domain with
an Exchange 5.0 server with POP3 service. Set xyz's password to
a1234. Things work fine so far. Now change xyz's password to
b5678. You will find that POP3 mail clients can log in using
either password a1234 or b5678 for user xyz. Now change the
password to something else. You will find that a POP3 client (or
direct telnet to port 110) will allow you to log in as xyz using
any of the three passwords. They all work. The Exchange 5.0
service POP3 connector caches passwords in a non-hashing
mechanism so that all the passwords remain active. This does not
affect the new web page interface to get your mail which uses a
different authentication. Nor does it affect NT logons. In
non-POP3 logins, the passwords are not cached (except NNTP and
LDAP).
Implications are that if an undesired person finds out your mail
password, changing it won't help because the POP3 service will
continue to accept the old passwords as well as the new ones.
You may find more at:
http://rajiv.org/active/
The "idle" lifetime is the lifetime of the credential if the user
never logs on again with those credentials, the "maximum"
lifetime is the total time a credential will be cached, even if
the session is active, before being revalidated.
For example, if I log in from my plain-text POP3 client as
redmond/johnsmith, password "Bloopy", at 7:00PM, the cached
credentials will be used if I log in again at 7:14PM. If I then
don't log on until 7:30PM, the "idle" lifetime of the credential
will have expired (at 7:29PM), and the credentials will be
discarded. If I log on at 7:00, 7:14, 7:28,. the credentials
will be discarded at 9:00PM, regardless of the number of times
the user has been connected.
For some environments this behavior represents a relatively minor
risk. If a user discovers that their password has been
compromised and changes their password, there is an additional
window of time (around 15 minutes if the session is idle) where
an attacker could still use the compromised password to access
mail or newsgroups via POP3 or NNTP.
SOLUTION
The credentials cache is controlled by the following registry
values:
HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials Cache Age Limit (Default = 120 minutes)
HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials Cache Idle Limit (Default = 15 minutes)
HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials Cache Size (Default = 256 buckets)
To turn off caching, you should set the size = 0). Most users
will not need to implement any changes to their environment.
Users who need additional assurances can change the registry
parameters indicated above to smaller values that are acceptable
in their environment. Setting the credentials cache size to 0
will cause a new authentication to be performed for every POP3
session. Setting the cache to zero is not recommended for most
environments.
Another more secure option is to use mail clients that support
native Windows NT Challenge/Response authentication, rather than
plain-text authentication, Microsoft Outlok and Outlook Express
both support NT Challenge/Response authentication.