A flaw in the authentication mechanism that Microsoft Exchange Server 2003 uses for Outlook Web Access users in some configurations could expose another user's mailbox.
Outlook Web Access (OWA) is a feature of Microsoft Exchange Server 2003. By using OWA, a server that is running Exchange Server can also function as a Web site that lets authorized users read or send e-mail messages, manage their calendar, or perform other mail functions over the Internet by using a Web browser. Exchange servers providing OWA access can be configured in a front-end/back-end configuration that allows users with mailboxes on multiple servers to connect to a single front-end Exchange server. This front-end server in turn connects ("proxies") to the appropriate back-end servers where mailboxes are actually stored.
A flaw exists in the way that Hypertext Transfer Protocol (HTTP) connections are reused when NTLM authentication is used between front-end Exchange 2003 servers providing OWA access and running Windows 2000 or Windows Server 2003, and back-end Exchange 2003 servers that are running Windows Server 2003. This flaw may expose a vulnerability in which authenticated users on the system are occasionally and unpredictably connected to another user's mailbox.
Kerberos is the default authentication mechanism between the Exchange server providing OWA and the back-end Exchange server and the vulnerability is not exposed when this method of authentication is used. However, there may be situations in which a fallback to NTLM authentication between these servers has occurred. According to Microsoft this situation may occur when a Microsoft Internet Information Services (IIS) virtual server is extended with Windows SharePoint Services (WSS). The virtual server is subsequently configured to use Integrated Windows authentication (formerly named NTLM, or Windows NT Challenge/Response authentication) and explicitly disables Kerberos authentication. Alternatively, if WSS has been installed on the same server as an Exchange Server 2003 back-end running Windows Server 2003, Kerberos may have been disabled on the website hosting the Exchange programs.
A victim user's mailbox may be exposed to another user of the system who has successfully authenticated. The authenticated user would then be able to take any action that the victim user would be authorized to take including reading, sending, and deleting e-mail messages in the victim user's mailbox . According to Microsoft, an attacker attempting to exploit this vulnerability has no guarantee it will succeed. Even if successful, the particular user mailbox exposed is unpredictable.
Apply a patch from the vendor
See Microsoft Knowledge Base Article 832749 for information about how to disable HTTP connection reuse on a Microsoft Exchange Server 2003 front-end server.
Impact of workaround: Clients may experience small performance degradation when they use OWA to access their mailboxes.
See Microsoft Knowledge Base Article 832769 for information about how to configure Windows SharePoint Services to use Kerberos authentication.
See Microsoft Knowledge Base Article 823265 for information about how to re-enable OWA and other Exchange components after you install Windows SharePoint Services.
Impact of workaround: None
This vulnerability was originally reported by Matthew Johnson in a public forum.
This document was written by Chad R Dougherty.
|Date First Published:||2004-01-21|
|Date Last Updated:||2004-01-21 22:15 UTC|