Vulnerability Note VU#530660
Microsoft Exchange Server 2003 fails to assign user credentials to proper mailbox
A flaw in the authentication mechanism that Microsoft Exchange Server 2003 uses for Outlook Web Access users in some configurations could expose another user's mailbox.
Outlook Web Access (OWA) is a feature of Microsoft Exchange Server 2003. By using OWA, a server that is running Exchange Server can also function as a Web site that lets authorized users read or send e-mail messages, manage their calendar, or perform other mail functions over the Internet by using a Web browser. Exchange servers providing OWA access can be configured in a front-end/back-end configuration that allows users with mailboxes on multiple servers to connect to a single front-end Exchange server. This front-end server in turn connects ("proxies") to the appropriate back-end servers where mailboxes are actually stored.
A flaw exists in the way that Hypertext Transfer Protocol (HTTP) connections are reused when NTLM authentication is used between front-end Exchange 2003 servers providing OWA access and running Windows 2000 or Windows Server 2003, and back-end Exchange 2003 servers that are running Windows Server 2003. This flaw may expose a vulnerability in which authenticated users on the system are occasionally and unpredictably connected to another user's mailbox.
Kerberos is the default authentication mechanism between the Exchange server providing OWA and the back-end Exchange server and the vulnerability is not exposed when this method of authentication is used. However, there may be situations in which a fallback to NTLM authentication between these servers has occurred. According to Microsoft this situation may occur when a Microsoft Internet Information Services (IIS) virtual server is extended with Windows SharePoint Services (WSS). The virtual server is subsequently configured to use Integrated Windows authentication (formerly named NTLM, or Windows NT Challenge/Response authentication) and explicitly disables Kerberos authentication. Alternatively, if WSS has been installed on the same server as an Exchange Server 2003 back-end running Windows Server 2003, Kerberos may have been disabled on the website hosting the Exchange programs.
A victim user's mailbox may be exposed to another user of the system who has successfully authenticated. The authenticated user would then be able to take any action that the victim user would be authorized to take including reading, sending, and deleting e-mail messages in the victim user's mailbox . According to Microsoft, an attacker attempting to exploit this vulnerability has no guarantee it will succeed. Even if successful, the particular user mailbox exposed is unpredictable.
Apply a patch from the vendor
By default, Exchange Server 2003 reuses HTTP Connections between front-end and back-end servers to gain improved performance. Connection reuse can be turned off on the Exchange front-end server. Doing so could cause some performance degradation, but it is an effective workaround to this vulnerability. After you apply the update to the Exchange Server 2003 front-end server, you can remove this workaround.
See Microsoft Knowledge Base Article 832749 for information about how to disable HTTP connection reuse on a Microsoft Exchange Server 2003 front-end server.
Impact of workaround: Clients may experience small performance degradation when they use OWA to access their mailboxes.
The only known way that this vulnerability can be exposed is if Kerberos is disabled on the Internet Information Services virtual server where Outlook Web Access is hosted on the back-end server. This configuration change may occur when Windows SharePoint Services (WSS) 2.0 is installed on the same virtual server.
See Microsoft Knowledge Base Article 832769 for information about how to configure Windows SharePoint Services to use Kerberos authentication.
See Microsoft Knowledge Base Article 823265 for information about how to re-enable OWA and other Exchange components after you install Windows SharePoint Services.
Impact of workaround: None
Sites, particularly those that are unable to apply the patches above, are encouraged to consider implementing these workarounds.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||24 Nov 2003||14 Jan 2004|
CVSS Metrics (Learn More)
This vulnerability was originally reported by Matthew Johnson in a public forum.
This document was written by Chad R Dougherty.
- CVE IDs: CAN-2003-0904
- Date Public: 14 Nov 2003
- Date First Published: 21 Jan 2004
- Date Last Updated: 21 Jan 2004
- Severity Metric: 2.70
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.