[SECURITY-L] CAIS-Alerta: Vulnerabilidade no Exchange Server 2003 (832759)
Security Team - UNICAMP
security em unicamp.br
Qua Jan 14 10:13:36 -02 2004
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Exchange Server 2003 (832759)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jan 2004 18:57:13 -0200 (BRDT)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS esta' repassando o alerta divulgado pela Microsoft,
"Microsoft Security Bulletin MS04-002: Vulnerability in Exchange Server
2003 Could Lead to Privilege Escalation (832759)", que trata de uma
vulnerabilidade no modo como conexoes HTTP sao reutilizadas quando a
autenticacao NTLM e' utilizada entre servidores front-end Exchange 2003
provendo acesso OWA (Outlook Web Access), quando o OWA roda sob Windows
2000 e Windows Server 2003, e quando servidores back-end Exchange 2003
rodam sob Windows Server 2003.
Usuarios que acessam seus mailboxes atraves do servidor front-end Exchange
2003 e OWA (Outlook Web Acess), podem acessar o mailbox de outro usuario
caso este usuario seja armazenado no mesmo servidor back-end e se este
mailbox foi recentemente acessado. Atacantes nao podem predizer qual
mailbox sera' acessado. Esta vulnerabilidade causa acesso randomico e
nao-confiavel a mailboxes dos usuarios e esta' limitada apenas a mailboxes
que foram recentemente acessados atraves do OWA.
Sistemas Afetados:
. Microsoft Exchange Server 2003
Sistemas Nao Afetados:
. Microsoft Exchange 2000 Server
. Microsoft Exchange Server 5.5
Correcoes disponiveis:
A correcao consiste na aplicacao do patch recomendado pela Microsoft e
disponivel em:
. Microsoft Exchange Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=9542F949-D09B-4199-A837-FBCFC0567676&displaylang=en
Para maiores detalhes sobre medidas de contorno (workarounds), perguntas
mais frequentes, ou ainda, sobre outras recomendacoes tecnicas para
instalacao das correcoes, recomenda-se consultar o alerta original da
Microsoft.
Maiores informacoes:
. Microsoft Security Bulletin MS04-002
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-002.asp
. Microsoft Knowledge Base Article 832749
http://support.microsoft.com/?kbid=832749
. Microsoft Knowledge Base Article 823265
http://support.microsoft.com/?kbid=823265
. Microsoft Knowledge Base Article 832769
http://support.microsoft.com/?kbid=832769
Identificadores do CVE: CAN-2003-0904
(http://cve.mitre.org)
O CAIS recomenda aos administradores de plataformas Microsoft a
atualizarem seus sistemas com urgencia, devido a criticidade do presente
alerta.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
Microsoft Security Bulletin MS04-002
Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation
(832759)
Issued: January 13, 2004
Version: 1.0
Summary
Who should read this document: System administrators who have servers
that are running Microsoft® Outlook® Web Access for Microsoft Exchange
Server 2003
Impact of vulnerability: Elevation of Privilege
Maximum Severity Rating: Moderate
Recommendation: System administrators should install this security
update on all front-end servers that are running Outlook Web Access for
Exchange Server 2003. Microsoft also recommends installing this security
update on all other Exchange 2003 servers so that they will be protected
if they are later designated as front end servers.
Security Update Replacement: None
Caveats: Apply the update when a disruption in OWA and Simple Mail
Transfer Protocol (SMTP) mail flow and other Internet Information Services
(IIS) applications is acceptable.
Tested Software and Security Update Download Locations:
Affected Software:
* Microsoft Exchange Server 2003 - Download the Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=9542F949-D09B-4199-A837-FBCFC0567676&displaylang=en
Non Affected Software:
* Microsoft Exchange 2000 Server
* Microsoft Exchange Server 5.5
The software listed above has been tested to determine if the versions
are affected. Other versions either no longer include security patch
support or may not be affected. Please review the Microsoft Support
Lifecycle Web site to determine the support lifecycle for your product and
version.
http://go.microsoft.com/fwlink/?LinkId=21742
Technical Details
Technical description:
A vulnerability exists in the way that Hypertext Transfer Protocol
(HTTP) connections are reused when NTLM authentication is used between
front-end Exchange 2003 servers providing OWA access and , when running
Outlook Web Access (OWA) on Windows 2000 and Windows Server 2003, and when
using back-end Exchange 2003 servers that are running Windows Server 2003.
Users who access their mailboxes through an Exchange 2003
front-end server and Outlook Web Access might get connected to another
user's mailbox if that other mailbox is (1) hosted on the same back-end
mailbox server and (2) if that mailbox has been recently accessed by its
owner. Attackers seeking to exploit this vulnerability could not predict
which mailbox they might become connected to. The vulnerability causes
random and unreliable access to mailboxes and is specifically limited to
mailboxes that have recently been accessed through OWA.
By default, Kerberos authentication is used as the HTTP
authentication method between Exchange Server 2003 front-end and back-end
Exchange servers. This behavior manifests itself only in deployments where
OWA is used in an Exchange front-end/back-end server configuration and
Kerberos has been disabled as an authentication method for OWA
communication between the front-end and back-end Exchange servers.
This vulnerability is exposed if the Web site that is running the
Exchange Server 2003 programs on the Exchange back-end server has been
configured not to negotiate Kerberos authentication, causing OWA to fall
back to using NTLM authentication. The only known way that this
vulnerability can be exposed is by a change in the default configuration
of Internet Information Services 6.0 on the Exchange back-end server. This
vulnerability cannot be exposed by a routine fallback to NTLM because of a
problem with Kerberos authentication. This configuration change may occur
when Microsoft Windows SharePoint Services (WSS) 2.0 is installed on a
Windows Server 2003 server that also functions as an Exchange Server 2003
back-end.
Mitigating factors:
* To exploit this vulnerability, an attacker would first have
to authenticate to an Exchange Server 2003 front-end server.
* The mailbox that an attacker could get access to is random
and not possible to predict. It is also not for certain that they would
get connected to another user's mailbox at all.
* Only mailboxes that have recently been accessed through
Outlook Web Access using the same pair of front-end and back-end servers
could be affected.
* Exchange 2000 Server and Exchange Server 5.5 are not
affected by this vulnerability.
* Only deployments that have a front-end server that hosts
Outlook Web Access for Exchange 2003 Server, that runs on either Windows
2000 or Windows Server 2003, and that has a back-end Exchange Server 2003
that runs on Windows Server 2003 are affected by this vulnerability.
* By default, Kerberos authentication is used for HTTP
requests between an Exchange Server 2003 front-end server and an Exchange
back end-server. This vulnerability is only exposed if the Web site that
is running the Exchange Server 2003 programs on the Exchange back
end-server has been configured not to negotiate Kerberos authentication,
causing OWA to use NTLM authentication. This configuration change may
occur when Microsoft Windows SharePoint Services is installed on a Windows
Server 2003 server that also functions as an Exchange Server 2003
back-end.
Severity Rating:
Microsoft Exchange Server 2003 Moderate
The above assessment (http://go.microsoft.com/fwlink/?LinkId=21140)
is based on the types of systems that are affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the
vulnerability would have on them.
Vulnerability identifier: CAN-2003-0904
Workarounds
Microsoft has tested the following workarounds that apply to this
vulnerability. These workarounds help block known attack vectors. However,
they will not correct the underlying vulnerability. Workarounds may reduce
functionality in some cases; in such cases, the reduction in functionality
is identified below.
1. Disable HTTP connection reuse on an Exchange Server 2003
front-end server.
By default, Exchange Server 2003 reuses HTTP Connections
between front-end and back-end servers to gain improved performance.
Connection reuse can be turned off on the Exchange front-end server. Doing
so could cause some performance degradation, but it is an effective
workaround to this vulnerability. After you apply the update to the
Exchange Server 2003 front-end server, you can remove this workaround.
See Microsoft Knowledge Base Article 832749 for information
about how to disable HTTP connection reuse on a Microsoft Exchange Server
2003 front-end server.
Impact of workaround: Clients may experience small
performance degradation when they use OWA to access their mailboxes.
2. Enable Kerberos on the virtual server that hosts OWA on the
Exchange Server 2003 back-end server.
The only known way that this vulnerability can be exposed is
if Kerberos is disabled on the Internet Information Services virtual
server where Outlook Web Access is hosted on the back-end server. This
configuration change may occur when Windows SharePoint Services (WSS) 2.0
is installed on the same virtual server.
See Microsoft Knowledge Base Article 832769 for information
about how to configure Windows SharePoint Services to use Kerberos
authentication.
See Microsoft Knowledge Base Article 823265 for information
about how to re-enable OWA and other Exchange components after you install
Windows SharePoint Services.
Impact of workaround: None
Frequently Asked Questions
What is the scope of the vulnerability?
Users who use Outlook Web Access for Exchange Server 2003 to
access their mailboxes could connect to another user's mailbox. An
attacker seeking to exploit this vulnerability could not predict which
mailbox they would become connected to or if they would connect to another
user's mailbox at all. The vulnerability causes random and unreliable
access to mailboxes and is specifically limited to mailboxes that have
recently been accessed through OWA. This behavior occurs when OWA is used
in an Exchange front-end server configuration and when Kerberos is
disabled as an authentication method for the IIS Web site that hosts OWA
on the back-end Exchange servers. By default, Kerberos authentication is
used as the HTTP authentication method between Exchange Server 2003
front-end and back-end Exchange servers.
This vulnerability is only exposed if the Web site that is running
the Exchange Server 2003 programs on the Exchange back-end server has been
configured not to use Kerberos authentication, and OWA is using NTLM
authentication. This configuration change can occur when Microsoft Windows
SharePoint Services is installed on a Windows Server 2003 server that also
functions as an Exchange Server 2003 back-end.
What causes the vulnerability?
The vulnerability results because of the way that HTTP connections
are reused when using NTLM authentication between Exchange 2003 front-end
servers and Exchange 2003 back-end servers when the back-end server is
running Windows Server 2003.
Even though Kerberos is enabled and used by default when an
Exchange Server 2003 front-end component authenticates to the back-end
Exchange server, there are situations when Kerberos authentication is
explicitly disabled on the back-end server, and therefore only NTLM
authentication is available.
What is Outlook Web Access?
Outlook Web Access is a feature of Exchange Server. By using OWA,
a server that is running Exchange Server can also function as a Web site
that lets authorized users read or send e-mail messages, manage their
calendar, or perform other mail functions over the Internet by using a Web
browser.
OWA can be deployed in an Exchange front-end/back-end server
configuration.
What are front-end and back-end Exchange servers?
Exchange can be deployed so that end users with mailboxes on
multiple servers can all connect to a single front-end Exchange server.
This front-end server in turn connects ("proxies") to the appropriate
back-end servers where mailboxes are actually stored.
What are Kerberos and NTLM?
Kerberos and NTLM are two different authentication protocols.
Kerberos is the preferred Windows authentication protocol. It is used
whenever possible and is the default protocol that Exchange Server 2003
uses between front-end and back-end Exchange servers for Outlook Web
Access. NTLM authentication can be used as an alternate method when
Kerberos authentication is unavailable.
How do I verify whether Kerberos is enabled for Outlook Web
Access?
By default, Kerberos is enabled for OWA for Exchange Server 2003.
However, because Internet Information Services is the Windows component
that hosts OWA, check the configuration of your IIS server to verify that
Kerberos is enabled. To verify the IIS authentication setting, look in the
IIS metabase on the Exchange back-end server. To do so, use the following
command-line commands:
* cscript.exe %SystemDrive%\inetpub\adminscripts\adsutil.vbs
get w3svc/NTAuthenticationProviders
-or-
* cscript.exe %SystemDrive%\inetpub\adminscripts\adsutil.vbs
get w3svc/1/root/NTAuthenticationProviders
If only the value "NTLM" is returned, there may be a problem. The
correct response is:
* "The parameter 'NTAuthenticationProviders' is not set at
this node."
-or-
* "Negotiate, NTLM"
The term negotiate is used to describe Kerberos authentication
over HTTP.
See Microsoft Knowledge Base Article 832769 for information about
how to configure Windows SharePoint Services to use Kerberos
authentication.
I did not change any default security settings on my Exchange
server. Is there any other way Kerberos might have been disabled on the
Web site hosting the Exchange programs on the back-end Exchange server?
Yes. When a Microsoft Internet Information Services virtual server
is extended with Windows SharePoint Services, the virtual server is
subsequently configured to use Integrated Windows authentication (formerly
named NTLM, or Windows NT Challenge/Response authentication) and
explicitly disables Kerberos authentication. If Windows SharePoint
Services (WSS) has been installed on the same server as an Exchange Server
2003 back-end running Windows Server 2003, Kerberos might have been
disabled on the Web site hosting the Exchange programs.
See Microsoft Knowledge Base Article 832769 for information about
how to configure Windows SharePoint Services to use Kerberos
authentication.
See Microsoft Knowledge Base Article 823265 for information about
how to re-enable OWA and other Exchange components after you install
Windows SharePoint Services.
Who could exploit the vulnerability?
To exploit this vulnerability, an attacker would have to be an
authorized user who has a mailbox on the same back-end Exchange server and
who could first authenticate through OWA by using valid credentials.
The mailbox that an attacker could access is random and cannot be
predicted. It is also not certain that the attacker would get connected to
another user's mailbox at all.
What could this vulnerability allow an attacker to do?
An authenticated user who gained access to another user's mailbox
that is hosted on the same Exchange system could perform any action that
the legitimate user could do through OWA. This includes reading, sending,
and deleting e-mail messages in the user's mailbox.
What systems are primarily at risk from the vulnerability?
Only systems where Outlook Web Access is accessed through a
Microsoft Exchange Server 2003 front end/back-end configuration are at
risk from the vulnerability.
The back-end server must be running Exchange Server 2003 on
Windows Server 2003. The front-end server can be running Windows 2000 or
Windows Server 2003.
Can my OWA be affected although I do not have a front-end and
back-end server configuration?
No. Exchange servers running OWA on the same server as the
Exchange information store are not affected; only front-end/back-end
Exchange Server 2003 configurations are affected by this vulnerability.
I am running Small Business Server 2003. Am I affected by this
vulnerability?
No. Small Business Server is by default a single server setup with
OWA access through the same server that hosts user mailboxes. Only
front-end/back-end Exchange Server 2003 configurations are affected by
this vulnerability.
Are all versions of Exchange and Outlook Web Access vulnerable?
No. The vulnerability affects only Outlook Web Access for Exchange
Server 2003.
On which Exchange servers should I install the update?
This update is intended for front-end servers that are running
Outlook Web Access for Microsoft Exchange Server 2003.
You do not have to install this update on back-end Exchange
servers or on front-end Exchange servers that are not providing OWA
services. However, it is recommended that you install this update on all
systems that are running Exchange Server 2003 so that you are protected if
you later migrate a back-end server to the role of a front-end server.
Does the update introduce any behavioral changes?
Yes. The update changes the connection pooling so that HTTP
connections that use NTLM to authenticate are not added to the pool. It is
unlikely that this behavioral change will be noticed by OWA end users.
What does the update do?
The update removes the vulnerability by making sure that all
authentication methods re-authenticate correctly before reusing any HTTP
connections between the front-end and back-end Exchange servers, and that
connections that are established by using NTLM authentication are not
improperly reused.
Security Update Information
Installation platforms and Prerequisites:
Exchange Server 2003 (all versions)
Prerequisites
This security update requires a released version of Exchange
Server 2003.
Inclusion in future service packs:
The fix for this issue will be included in Exchange Server
2003 Service Pack 1.
Installation Information
This security update supports the following Setup switches:
/? Show the list of installation switches.
/u Use unattended mode (same as /m).
/m Use unattended mode (same as /u).
/f Force other programs to quit when the computer shuts down.
/n Do not back up files for removal.
/o Overwrite OEM files without prompting.
/z Do not restart when the installation is complete.
/q Use Quiet mode (no user interaction) and unattended mode (same as /u or /m).
/l List installed hotfixes.
/x Extract the files without running Setup.
See Microsoft Knowledge Base article 331646 for additional
information about installer switches.
Deployment Information
To install the security update without any user intervention,
use the following command line:
Exchange2003-kb832759-x86-enu /q
Restart Requirement
You do not have to restart your computer after you apply this
security update.
However, the installer will restart Internet Information
Services (IIS) and all dependent services. Therefore, it is recommended
that you apply this security update at a time when there are no users
logged on through Outlook Web Access. Also, the restart of IIS stops the
routing engine and the SMTP service if the front-end Exchange server is
tasked with this role also. Therefore, no e-mail messages will be routed
during this restart of the IIS service. This includes incoming and
outgoing SMTP e-mail traffic.
Apply this update when a disruption in OWA and SMTP e-mail
flow is acceptable.
Removal Information
To remove this update, use the Add or Remove Programs tool in
Control Panel.
System administrators can use the Spuninst.exe utility to
remove this security update. The Spuninst.exe utility is located in the
%Windir%\$ExchUninstall832759$\Spuninst folder. The Spuninst.exe utility
supports the following Setup switches:
/? Show the list of installation switches.
/u Use unattended mode.
/f Force other programs to quit when the computer shuts down.
/z Do not restart when the installation is complete.
/q Use Quiet mode (no user interaction).
File Information
The English version of this fix has the file attributes (or
later) that are listed in the following table. The dates and times for
these files are listed in coordinated universal time (UTC). When you view
the file information, it is converted to local time. To find the
difference between UTC and local time, use the Time Zone tab in the Date
and Time tool in Control Panel.
Exchange Server 2003 Enterprise Edition and Exchange Server
2003 Standard Edition:
Date Time Version Size File Name
19-Dec-2003 18:35 6.5.6980.57 396800 exprox.dll
Verifying Update Installation
To verify that the security update is installed on your
computer, use the Microsoft Baseline Security Analyzer (MBSA) tool. For
additional information about MBSA, click the following article number to
view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is
Available
You may also be able to verify the files that this security
update installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server
2003\SP1\832759
Note This registry key may not be not created correctly if an
administrator or an OEM integrates or slipstreams the 832759 security
update in the Windows installation source files.
Obtaining other security updates:
Updates for other security issues are available from the following
locations:
* Security updates are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for "security_patch".
* Updates for consumer platforms are available from the WindowsUpdate Web site.
Support:
* Technical support is available from Microsoft Product Support
Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is
no charge for support calls that are associated with security updates.
* International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with security
updates. Information on how to contact Microsoft support is available at
the International Support Web Site.
Security Resources:
* The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
* Microsoft Software Update Services
* Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge
Base Article 306460 for list of security updates that have detection
limitations with the MBSA tool.
* Windows Update
* Windows Update Catalog: Please view Knowledge Base Article 323166
for more information on the Windows Update Catalog.
* Office Update
Systems Management Server (SMS):
Systems Management Server can provide assistance deploying this security
update. For information about Systems Management Server visit the SMS Web
Site. SMS also provides several additional tools to assist administrators
in the deployment of security updates such as the SMS 2.0 Software Update
Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS
2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline
Security Analyzer and the Microsoft Office Detection Tool to provide broad
support for security bulletin remediation. Some software updates may
require administrative rights following a restart of the computer.
Note: The inventory capabilities of the SMS 2.0 Software Update Services
Feature Pack may be used for targeting updates to specific computers, and
the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool
can be used for installation. This provides optimal deployment for updates
that require explicit targeting using Systems Management Server and
administrative rights after the computer has been restarted.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 January 13, 2004: Bulletin published
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQARbwekli63F4U8VAQHKAwQAt7Xu94hr4UKpKnkbjbhL7qxDXnC8b4qM
BcogeDIOtAqSArIyftzt8QpHXvQGdXRs37hEOL7ilKiibIq7Jie/ok2fKkVZD3HZ
eo3yKai7ggUg9UXH0NXd/6HmhHp3eEClnkmLjv25oOZio9H5555wmYOANUYZeIpg
1N41POPUbS8=
=AkLG
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L