COMMAND
Microsoft Exchange Server
SYSTEMS AFFECTED
Win NT with Microsoft Exchange Server v5.0 (with SP1 & SP2) and v5.5
PROBLEM
Discovered by the ISS X-Force team, the vulnerabilities can result
in services being stopped. Specifically, an SMTP exploit can
result in the Internet Mail Service failing, and an NNTP exploit
could result in the Server Information Store service failing. If
a malicious attacker connects to a Microsoft Exchange Server
running the Internet Mail Service (TCP/IP port 25) and issues
certain sequences of incorrect data, an application error could
occur causing the Internet Mail Service to stop responding. This
will not directly affect other Exchange-related services. If the
Internet Mail Service fails due to this attack using the SMTP
protocol, it can simply be restarted. It does not require a
reboot of the operating system.
If a malicious attacker connects to a Microsoft Exchange Server
running the NNTP Service (TCP/IP port 119) and issues certain
sequences of incorrect data, an application error could occur
causing the Server Information Store to stop responding. If the
Exchange Information Store stops responding, it could cause other
Exchange services to fail as well. It would also cause user
attempts to connect to their folders on the mail server to fail.
If Exchange Information Store fails due to an attack using the
NNTP protocol, the affected services can simply be re-started. It
does not require a reboot of the operating system. No existing
mail or news articles on the server will be lost. Any active user
sessions that were committed when the shutdown occurred will be
preserved. However, incomplete transactions may be lost,
depending on what client software is used. Users may have to
re-type mail or articles that were under composition (if they did
not have AutoSave enabled in their mail client, or had not
manually saved a Draft copy).
SOLUTION
Microsoft strongly recommends that customers running Microsoft
Exchange Server version 5.5 or 5.0 should install the appropriate
hotfixes. These hotfixes are currently available at the following
locations:
Exchange Server 5.0 ALL LANGUAGES:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Post-SP2-STORE/
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Post-SP2-IMS/
Exchange Server 5.5 ENGLISH:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostRTM/STORE-FIX
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostRTM/IMS-FIX
Exchange Server 5.5 FRENCH:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Frn/Exchg5.5/PostRTM/STORE-FIX
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Frn/Exchg5.5/PostRTM/IMS-FIX
Exchange Server 5.5 GERMAN:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Ger/Exchg5.5/PostRTM/STORE-FIX
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Ger/Exchg5.5/PostRTM/IMS-FIX
Exchange Server 5.5 JAPANESE:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Jpn/Exchg5.5/PostRTM/STORE-FIX
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Jpn/Exchg5.5/PostRTM/IMS-FIX
Microsoft Exchange 4.0 is not affected. Customers who cannot
apply the hotfix can use the following workaround to temporarily
address this issue.In the event that such an attack causes one or
more services to stop, the service failure can be detected by the
Server Monitor feature of Microsoft Exchange Server Administrator.
The Server Monitor can be configured to automatically restart the
affected Exchange services if they unexpectedly stop, reducing the
impact of the service failure.