SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#874115

Microsoft Windows SMTP Service fails to properly handle responses from the NTLM authentication layer

Overview

A flaw in the authentication code of the SMTP service provided with Windows 2000 server and Exchange 5.5 may allow a user access to the SMTP service. This acess could be used to relay mail in violation of the SMTP server's security policy, or consume CPU resources on the SMTP server.

I. Description

As of October 2003, The CERT/CC has begun seeing reports of exploitation. It is possible that an exploit for this vulnerability exists and is being used. Microsoft Released a patch for this issue in February 2002. It is recommended that USERS of Windows 2000 server and Exchange 5.5 apply the patch provided in MS02-011. In addition to exploiting this vulnerability to cause a denial of service, it is reported that the exploit attempts to guess passwords to common accounts on the system, such as administrator and IUSR_machinename. This highlights the importance of selecting strong passwords. For more information about selecting a strong password, we recommend that users review the following section of the Home Computer Security document:
The vulnearbility is caused due to a problem in the checks performed after a valid NTLM authentication. A remote user that is able to successfully authneticate via NTLM may be able to utilize the SMTP server resources. The attacker would not gain administrative privileges, but could consume CPU resources, or relay mail in violation of the SMTP server's security policy.

The vulnerability is present in SMTP servers shipped with Windows 2000 server, and Exchange 5.5 Internet Mail Connector. It is not present in the SMTP servers shipped with Windows NT 4.0 or Windows XP.

II. Impact

An attacker that is able to authenticate to the SMTP server may be able to relay mail in violation of the SMTP server's security policy, or consume CPU resources on the SMTP server.

III. Solution

Apply a Patch


Microsoft has published patches correcting this vulnerability. The patches are listed in their advisory at:


Systems Affected
VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable26-Sep-2002

References

http://www.microsoft.com/technet/security/bulletin/ms02-011.asp
http://razor.bindview.com/publish/advisories/adv_iis_smtp_null_relay.html
http://online.securityfocus.com/bid/4205

Credit

Thanks to the BindView Razor team for discovering this vulnerability.

This document was written by Cory F. Cohen.

Other Information

Date Public:2002-02-27
Date First Published:2002-09-27
Date Last Updated:2003-10-09
CERT Advisory: 
CVE-ID(s):CVE-2002-0054
NVD-ID(s):CVE-2002-0054
US-CERT Technical Alerts: 
Severity Metric:1.27
Document Revision:12

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader