Vulnerability Note VU#530660

Microsoft Exchange Server 2003 fails to assign user credentials to proper mailbox

Original Release date: 21 Jan 2004 | Last revised: 21 Jan 2004

Overview

A flaw in the authentication mechanism that Microsoft Exchange Server 2003 uses for Outlook Web Access users in some configurations could expose another user's mailbox.

Description

Outlook Web Access (OWA) is a feature of Microsoft Exchange Server 2003. By using OWA, a server that is running Exchange Server can also function as a Web site that lets authorized users read or send e-mail messages, manage their calendar, or perform other mail functions over the Internet by using a Web browser. Exchange servers providing OWA access can be configured in a front-end/back-end configuration that allows users with mailboxes on multiple servers to connect to a single front-end Exchange server. This front-end server in turn connects ("proxies") to the appropriate back-end servers where mailboxes are actually stored.

A flaw exists in the way that Hypertext Transfer Protocol (HTTP) connections are reused when NTLM authentication is used between front-end Exchange 2003 servers providing OWA access and running Windows 2000 or Windows Server 2003, and back-end Exchange 2003 servers that are running Windows Server 2003. This flaw may expose a vulnerability in which authenticated users on the system are occasionally and unpredictably connected to another user's mailbox.

Kerberos is the default authentication mechanism between the Exchange server providing OWA and the back-end Exchange server and the vulnerability is not exposed when this method of authentication is used. However, there may be situations in which a fallback to NTLM authentication between these servers has occurred. According to Microsoft this situation may occur when a Microsoft Internet Information Services (IIS) virtual server is extended with Windows SharePoint Services (WSS). The virtual server is subsequently configured to use Integrated Windows authentication (formerly named NTLM, or Windows NT Challenge/Response authentication) and explicitly disables Kerberos authentication. Alternatively, if WSS has been installed on the same server as an Exchange Server 2003 back-end running Windows Server 2003, Kerberos may have been disabled on the website hosting the Exchange programs.

Impact

A victim user's mailbox may be exposed to another user of the system who has successfully authenticated. The authenticated user would then be able to take any action that the victim user would be authorized to take including reading, sending, and deleting e-mail messages in the victim user's mailbox . According to Microsoft, an attacker attempting to exploit this vulnerability has no guarantee it will succeed. Even if successful, the particular user mailbox exposed is unpredictable.

Solution

Apply a patch from the vendor

Microsoft Corporation has published Microsoft Security Bulletin MS04-002 in response to this issue. Users are encouraged to review this bulletin and apply the patches that it refers to.

Workarounds


Microsoft Security Bulletin MS04-002 also describes the following workarounds for this vulnerability:

    1. Disable HTTP connection reuse on an Exchange Server 2003 front-end server.
    By default, Exchange Server 2003 reuses HTTP Connections between front-end and back-end servers to gain improved performance. Connection reuse can be turned off on the Exchange front-end server. Doing so could cause some performance degradation, but it is an effective workaround to this vulnerability. After you apply the update to the Exchange Server 2003 front-end server, you can remove this workaround.

    See Microsoft Knowledge Base Article 832749 for information about how to disable HTTP connection reuse on a Microsoft Exchange Server 2003 front-end server.

    Impact of workaround: Clients may experience small performance degradation when they use OWA to access their mailboxes.

    2. Enable Kerberos on the virtual server that hosts OWA on the Exchange Server 2003 back-end server.
    The only known way that this vulnerability can be exposed is if Kerberos is disabled on the Internet Information Services virtual server where Outlook Web Access is hosted on the back-end server. This configuration change may occur when Windows SharePoint Services (WSS) 2.0 is installed on the same virtual server.

    See Microsoft Knowledge Base Article 832769 for information about how to configure Windows SharePoint Services to use Kerberos authentication.

    See Microsoft Knowledge Base Article 823265 for information about how to re-enable OWA and other Exchange components after you install Windows SharePoint Services.

    Impact of workaround: None


Sites, particularly those that are unable to apply the patches above, are encouraged to consider implementing these workarounds.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected24 Nov 200314 Jan 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was originally reported by Matthew Johnson in a public forum.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CAN-2003-0904
  • Date Public: 14 Nov 2003
  • Date First Published: 21 Jan 2004
  • Date Last Updated: 21 Jan 2004
  • Severity Metric: 2.70
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.