Vulnerability Note VU#435963
Microsoft Windows 2000 SMTP service fails to properly authenticate credentials of unauthorized user (MS01-037)
A vulnerability exists in the SMTP service installed by default on Microsoft Windows 2000 Server (and optionally on Windows 2000 professional) that could allow an intruder to use the service to send mail.
The Simple Mail Transfer Protocol (SMTP) is the standard protocol used to transport mail across the Internet. Microsoft Windows 2000 Server contains an SMTP server that requires authentication before users are permitted to send mail. A flaw in the way the server handles authentication could permit an intruder to use the service to send mail without providing genuine credentials.
For more information, see Microsoft security bulletin MS01-037.
Intruders may be able to send mail through a vulnerable server in violation of local security policies.
The CERT/CC is currently unaware of a general purpose solution to this problem without strong digital signatures on all mail messages. To address the specific problem in the Microsoft SMTP server, apply a patch as described in MS01-037.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft||Affected||-||17 Aug 2001|
CVSS Metrics (Learn More)
This document was written by Shawn V. Hernan.
- CVE IDs: CAN-2001-0504
- Date Public: 05 Jul 2001
- Date First Published: 17 Aug 2001
- Date Last Updated: 17 Aug 2001
- Severity Metric: 5.70
- Document Revision: 4
If you have feedback, comments, or additional information about this vulnerability, please send us email.