Exchange Server Malformed MIME Header vulnerability (Patch available) ------------------------------------------------------------------------ SUMMARY Microsoft has released a patch that eliminates a security vulnerability in Microsoft Exchange Server 5.5. The vulnerability could enable a malicious user to cause an Exchange server to fail. To obtain more technical information about this vulnerability see: <http://www.securiteam.com/windowsntfocus/Exchange_Server_Attachment_DoS_attack__boundary_.html> Exchange Server Attachment DoS attack (boundary). DETAILS Affected Software Versions: - Microsoft Exchange Server 5.5 As part of its normal processing of incoming mails, Exchange server checks for invalid values in the MIME header fields. However, if a particular type of invalid value is present in certain fields, the Exchange service will fail. Restarting the Exchange service and deleting the offending mail can restore normal operations. There is no capability via this vulnerability to add, delete or modify emails, nor is there any capability to usurp administrative privileges on the server. The vulnerability can be eliminated either by applying the patch or Exchange 5.5 Service Pack 4, which is due to be released shortly. Exchange 2000 is not affected by the vulnerability. Patch Availability: - Microsoft Exchange Server 5.5: <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443 Note: This patch can be applied atop systems running Exchange Server 5.5 Service Pack 3. It is included in Exchange Server 5.5 Service Pack 4. What's the scope of the vulnerability? This is a denial of service vulnerability. It could enable a malicious user to create an email that, when processed by an affected mail server, would cause the Exchange service to fail. The vulnerability would not enable the malicious user to compromise data or gain any additional privileges on the server. The server could be returned to normal service by restarting the Exchange service and removing the malformed email from the message queue. The fix for this issue also is available via Exchange 5.5 Service Pack 4, and customers who apply Service Pack 4 do not need to apply the patch. Exchange 2000 is not affected by the vulnerability. What causes the vulnerability? Exchange 5.5 does not properly handle emails with a certain type of invalid MIME header. If a malicious user sent such an email to an affected server, it would cause the Exchange service to fail. What's MIME? MIME (Multipurpose Internet Mail Extensions) is a set of extensions to the original Internet mail standard. The original standard, discussed in RFC 822, had two significant limitations. First, only US ASCII text was supported. Second, every mail, no matter how long, had to be transmitted as a single block of text. The MIME extensions, discussed in RFCs 2045, 2046, 2047, 2048, and 2049, are designed to eliminate these limitations. They provide a standard for encoding mail using different language character sets, for creating mails that contain non-textual content, and for segmenting mails into pieces that can be sent separately. What are MIME Headers? MIME introduced some additional complexity into Internet mail processing. In the original Internet mail standard, the data could only be text; however, under MIME, the data could represent graphics, music, text (in any of a variety of languages), and so forth. There has to be a way for the mail to indicate what type of data it contains, directives for the mail server, and so forth. All of this information is conveyed via a special set of data at the start of a MIME mail called MIME Headers. What's wrong with the way Exchange handles MIME Headers? Whenever a new mail arrives at an Exchange server, the Exchange service reads the MIME headers as part of the processing of the mail. However, if the MIME headers contain a particular type of invalid values, Exchange will fail. Only a very specific type of invalid data will cause the service to fail. What could a malicious user use the vulnerability to do? A malicious user could create an email containing the malformed MIME headers at issue here, and then send it to an affected Exchange server in order to prevent the server from providing mail service. Could the malicious user exploit this vulnerability to delete mail, or take over the server? No. This is a denial service vulnerability only. The only thing that can be done via the vulnerability is to cause the Exchange service to fail. What would be required to put the server back into normal operation? The server operator would need to restart the Exchange service, then delete the offending mail from the queue. It would not be necessary to reboot the server. How could I tell which mail was the one that caused the Exchange service to fail? The offending mail would be at the front of the queue after the Exchange service was restarted. Is there any other way to eliminate the vulnerability? Yes. Exchange 5.5 Service Pack 4 also eliminates the vulnerability. Customers who apply the service pack do not need to apply the patch. In general, Microsoft always recommends that service packs, rather than security patches, be used as the primary means of eliminating security vulnerabilities. A discussion of the rationale behind this recommendation is available on the Microsoft Security Web Site. Does this vulnerability affect Exchange 2000? No. Who should use the patch? Microsoft recommends that customers using Exchange 5.5 apply either the patch or Service Pack 4. What does the patch do? The patch eliminates the vulnerability by causing Exchange to treat the malformed headers at issue here as invalid data. How do I use the patch? Knowledge Base article <http://www.microsoft.com/technet/support/kb.asp?ID=275714> Q275714 contains detailed instructions for applying the patch to your site How can I tell if I installed the patch correctly? The Knowledge Base article <http://www.microsoft.com/technet/support/kb.asp?ID=275714> Q275714 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
