Follow:

Vulnerability:Win/SMTP.Exchange.RCE!CAN-2003-0714

Severity rating
Critical

Class/Type
Vulnerability

Discovered date
2003-10-15T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

In Exchange Server 5.0 and Exchange Server 5.5, an unauthenticated attacker could issue a specially crafted SMTP extended verb request to allocate large amounts of memory. In Exchange 2000 Server, an unauthenticated attacker could issue a specially crafted SMTP extended verb request to exploit an unchecked buffer.



Impact

The vulnerability could allow an unauthenticated attacker to exhaust large amounts of memory on the server. This could cause a state where the server would stop responding to requests. In Exchange 2000 Server, the attacker could also, in the worst case, be able to cause remote code execution.



Technical details (analysis)

In Exchange Server 5.0 and Exchange Server 5.5, an unauthenticated attacker could issue a specially crafted SMTP extended verb request to allocate large amounts of memory. In Exchange 2000 Server, an unauthenticated attacker could issue a specially crafted SMTP extended verb request to exploit an unchecked buffer. An unauthenticated attacker could seek to exploit this vulnerability by connecting to an SMTP port on the Exchange server and by issuing a specially-crafted extended verb request. These requests can allocate memory on the server and can cause a denial of service. In Exchange 2000 Server, it is also possible to craft the request causing the SMTP service to fail in such a way that an attacker could execute code. This could allow an attacker to take any action on the system in the security context of the SMTP service. By default, the SMTP service runs as Local System.



Affected software

Microsoft Exchange Server 5.0 Service Pack 2
Microsoft Exchange Server 5.5 Service Pack 4
Microsoft Exchange 2000 Server, Service Pack 3



Non-affected software

Microsoft Exchange Server 2003



References




Solutions




NIS signature

Name: Vulnerability:Win/SMTP.Exchange.RCE!CAN-2003-0714
Release Date: 2003-10-15T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

Use SMTP protocol inspection to filter out SMTP protocol extensions.
Use a firewall to block the port that SMTP uses.