SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#435963

Microsoft Windows 2000 SMTP service fails to properly authenticate credentials of unauthorized user (MS01-037)

Overview

A vulnerability exists in the SMTP service installed by default on Microsoft Windows 2000 Server (and optionally on Windows 2000 professional) that could allow an intruder to use the service to send mail.

I. Description

The Simple Mail Transfer Protocol (SMTP) is the standard protocol used to transport mail across the Internet. Microsoft Windows 2000 Server contains an SMTP server that requires authentication before users are permitted to send mail. A flaw in the way the server handles authentication could permit an intruder to use the service to send mail without providing genuine credentials.

For more information, see Microsoft security bulletin MS01-037.

It should be noted that even in the best of circumstances, SMTP is a very difficult to authenticate without end-to-end cryptographic solutions. Quoting from RFC 2821:

    SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else. Constructing such a message so that the "spoofed" behavior cannot be detected by an expert is somewhat more difficult, but not sufficiently so as to be a deterrent to someone who is determined and knowledgeable. Consequently, as knowledge of Internet mail increases, so does the knowledge that SMTP mail inherently cannot be authenticated, or integrity checks provided, at the transport level. Real mail security lies only in end-to-end methods involving the message bodies, such as those which use digital signatures...

II. Impact

Intruders may be able to send mail through a vulnerable server in violation of local security policies.

III. Solution

The CERT/CC is currently unaware of a general purpose solution to this problem without strong digital signatures on all mail messages. To address the specific problem in the Microsoft SMTP server, apply a patch as described in MS01-037.

Systems Affected

VendorStatusDate NotifiedDate Updated
MicrosoftVulnerable17-Aug-2001

References

http://www.cert.org/tech_tips/email_spoofing.html
http://www.microsoft.com/technet/security/bulletin/MS01-037.asp
http://www.securityfocus.com/bid/2988
http://www.ietf.org/rfc/rfc2821.txt?number=2821
http://www.ietf.org/rfc/rfc2822.txt?number=2822

Credit

This document was written by Shawn V. Hernan.

Other Information

Date Public:2001-07-05
Date First Published:2001-08-17
Date Last Updated:2001-08-17
CERT Advisory: 
CVE-ID(s):CAN-2001-0504
NVD-ID(s):CAN-2001-0504
US-CERT Technical Alerts: 
Severity Metric:5.70
Document Revision:4

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader