TechNet Home > TechNet Security > Bulletins

Microsoft Security Bulletin MS02-011

Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service

Originally posted: February 27, 2002
Updated: April 13, 2004
Version: 2.0

Summary

Who should read this bulletin:
Customers using Microsoft® Windows® 2000, Windows NT® Server 4.0 Option Pack, Exchange® Server 5.5, or Exchange Server 5.0

Impact of vulnerability:
Mail relaying.

Maximum Severity Rating:
Low

Recommendation:
Customers who need the Windows 2000 and Windows NT Server 4.0 SMTP services should apply the Windows patches; all others should disable the SMTP service. Customers using the Exchange Server 5.5 IMC should apply the Exchange Server 5.5 IMC patch. Customers using Exchange 5.0 may apply the workaround described in the Frequently Asked Questions section below. Exchange 5.0 is not affected by this vulnerability, but general information about securing Exchange 5.0 against mail relay is provided for your information.

Affected Software:

•	Microsoft Windows 2000
•	Microsoft Windows NT Server 4.0 Option Pack
•	Microsoft Exchange Server 5.5

Top of section

General Information

Technical details

Technical description:

Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Windows NT Server 4.0 Server Option Pack. Microsoft has updated the bulletin with additional information about Windows NT Server 4.0 Option Pack and Exchange Server 5.0 and also to direct users to a security update for Windows NT Server 4.0.

An SMTP service installs by default as part of Windows 2000 server products. There is no default SMTP service for Windows NT Server 4.0, but you may install an SMTP service as part of the Windows NT 4 Option Pack. An SMTP server is part of the Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5 and Exchange Server 5.0. (The IMC, also known as the Microsoft Exchange Internet Mail Service, provides access and message exchange to and from any system that uses SMTP). A vulnerability results in the Windows and Exchange 5.5 services because of a flaw in the way they handle a valid response from the NTLM authentication layer of the underlying operating system. The Exchange 5.0 IMC does not support allowing or disallowing mail relay based on authentication, and therefore this issue does not apply to Exchange 5.0. If you are an Exchange 5.0 administrator, refer to the "Frequently Asked Questions" section of this bulletin for general information on securing an Exchange 5.0 server against malicious mail relay.

By design, the Windows 2000 and the Windows NT Server 4.0 SMTP service as well as the Exchange Server 5.5 IMC, upon receiving notification from the NTLM authentication layer that a user has been authenticated, perform additional checks before allowing the user to relay mail through the service. The vulnerability results because the affected services don't perform this additional checking correctly. In some cases, this could result in the SMTP service granting access to a user solely on the basis of their ability to successfully authenticate to the server.

An attacker who exploited the vulnerability could gain only user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server.

Mitigating factors:

•	Exchange 2000 servers are not affected by the vulnerability because they correctly handle the authentication process to the SMTP service.
•	The vulnerability would not enable the attacker to read other users' email, nor to send mail as other users.
•	Best practices recommend disabling unneeded services. If the SMTP service has been disabled, the mail relaying vulnerability could not be exploited.
•	The vulnerability would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands.

Severity Rating: Low

	Internet Servers	Intranet Servers	Client Systems
Windows 2000	Low	Low	Low
Windows NT Server 4.0	Low	Low	Low
Exchange Server 5.5	Low	Low	None

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. An attacker could only relay mail and would not be able to read mail, gain system privileges or run programs.

Vulnerability identifier: CAN-2002-0054

Tested Versions:

Microsoft tested Windows 2000, Windows NT 4.0 Option Pack SMTP service, Exchange Server 5.5, Exchange Server 5.0 and Exchange Server 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Top of section

Frequently asked questions

Why is Microsoft reissuing this bulletin?
Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Windows NT Server 4.0 Option Pack. Microsoft has updated the bulletin with additional information about Windows NT Server 4.0 and Exchange Server 5.0 and also to direct users to an update for Windows NT Server 4.0.

What's the scope of the vulnerability?
This vulnerability could enable an unauthorized user to consume resources of a mail server without authorization. This could enable an attacker to disguise the origination point of a mail, or co-opt a server's resources for mass mailings.
This vulnerability is subject to constraints:

•	It would only affect servers running the Exchange Server 5.5 Internet Mail Connector service, the native Windows 2000 SMTP service or the native Windows NT Server 4.0 SMTP Service.
•	It would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands.
•	Mail servers running Exchange 2000 are not be affected by this vulnerability.

What causes the vulnerability?
The vulnerability results because of an authentication error affecting the SMTP service in Windows 2000, Windows NT Server 4.0, and the Exchange Server 5.5 Internet Mail Connector. These services should perform additional checking before granting mail privileges to a user who has authenticated to the server; however, they do not do so correctly.

What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery of mail via the Internet, defined in RFCs 2821 and 2822 . The protocol defines the format of mail messages, the fields in them and their contents, and the handling procedures for mails. An SMTP service is provided with Windows 2000 and installs by default on server products.

What is the Exchange 5.5 Internet Mail Connector?
The Internet Mail Connector (IMC) is the component in Exchange Server 5.5 that allows mail to be sent to and received from other servers that use SMTP. It installs by default as part of Exchange Server 5.5, and is also sometimes referred to as the Exchange Server 5.5 Internet Mail Service.

What's wrong with the Windows 2000 SMTP service, Windows NT Server 4.0 SMTP service and Exchange Server 5.5 IMC?
Before a user can make use of a mail service, they first must authenticate to the server. But even if this is done successfully, the mail services themselves should perform additional checking to ensure that it's appropriate to let the user access them. The Windows 2000 SMTP service, Windows NT Server 4.0 SMTP Service, and Exchange Server 5.5 IMC do not perform this additional checking correctly. The result is that a user who could successfully authenticate to the server would always have the ability to use the mail services, even if it's not appropriate.

What would this enable the attacker to do?
The vulnerability would enable an attacker to levy mail requests as an authorized user. That is, it would enable the attacker to send mail. The most likely use of this vulnerability would be in performing mail relaying.

What's mail relaying?
Mail relaying is a practice in which e-mail is routed to an intermediate mail server, which then delivers it to the recipient's mail server. Mail relaying is often a legitimate practice. For example, suppose a company with several servers has designated one of them as a mail gateway to the Internet. Any e-mail sent to the company would arrive at the gateway server, and then be relayed to the appropriate server for delivery to the recipient.
However, malicious users also sometimes try to perform unauthorized mail relaying. For example, a spammer who has a low-end server and a slow network connection might use mail relaying in order to get someone else's higher-powered mail server and fast network connection to send spam on their behalf. Mail relaying also has been misused to disguise the point of origination for an email.

Would the vulnerability allow the attacker to take any other actions on the server?
The vulnerability would only confer user-level privileges on the SMTP service to the attacker - it would not grant administrative privileges to the service, nor would it grant the attacker the ability to run programs or operating system commands, nor would it allow the attacker to read, create, or send other users' mail.

Does this affect all Windows 2000 servers?
A Windows 2000 server would only be affected by it if the SMTP service is installed and running. This is the default configuration; however Microsoft always recommends reviewing the list of services and disabling any that aren't needed.

Does this affect all Windows NT Server 4.0 servers?

A Windows NT Server 4.0 server would only be affected by it if the SMTP service is installed and running. This is the default configuration if the NT Server 4.0 Option pack has been applied; however Microsoft always recommends reviewing the list of services and disabling any that aren't needed.

Does this affect all Exchange 5.0 servers?

No, because Exchange 5.0 servers do not support allowing or disallowing mail relay based on authentication. You cannot prevent unauthenticated users from relaying mail without disabling this capability for authenticated users too.

In Exchange 5.5, new functionality was added to enable SMTP routing for authenticated connections only, while disabling it for other connections. This new capability had the effect of turning on SMTP routing for authenticated users and turning it off for everyone else.

How then can I protect my Exchange 5.0 server?

Microsoft recommends that you do not connect an Exchange 5.0 Internet Mail Connector directly to the Internet unless you disable SMTP routing. To disable SMTP routing, use Exchange Administrator to select "Do not re-route incoming SMTP mail" on the properties of the Internet Mail Connector object.

If you turn off SMTP routing, this means that clients who connect to your Exchange server through the POP3 or IMAP4 protocols will be unable to send email using their SMTP server except to other users in your own SMTP domain. This would include all Outlook Express clients. Clients who use the MAPI protocol (Outlook users) will not be affected.

Does this vulnerability affect Windows XP Professional?
Windows XP Professional was tested and is not affected by this vulnerability.

I'm running Exchange Server 5.5 on a Windows 2000 system. Should I apply the Windows 2000 patch or the Exchange Server 5.5. patch?
Administrators of Exchange 5.5 only need apply the latest IMC patch described below. It is not necessary to apply the Windows 2000 patch.

I'm running Exchange 2000 Server. Do I need a patch?
No. Even though Exchange 2000 Server can be installed on a Windows 2000 server (and indeed, it is the only system it can be installed on), Exchange 2000 Server is not affected by this vulnerability. Exchange 2000 Server installs components that perform the additional checking correctly.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the SMTP service properly authenticates users before allowing them to levy requests on it.

Is there a single Windows 2000 patch for MS02-011 and MS02-12?
Yes, the Windows 2000 patch for both MS02-011 and MS02-012 are the same.

Top of section

Patch availability

Download locations for this patch

•	Windows 2000 Server, Professional and Advanced Server: http://www.microsoft.com/downloads/details.aspx?FamilyId=427A3B0A-FF47-4684-8AA3-127EB19EB848&displaylang=en
•	Windows NT Server 4.0: http://www.microsoft.com/downloads/details.aspx?FamilyId=457C0C18-8C3E-4923-B395-614C117F13C5&displaylang=en
•	Exchange Server 5.5: http://www.microsoft.com/downloads/details.aspx?FamilyId=A9E872EA-54B0-4179-8AE9-5648BFB46459&displaylang=en
•	Windows 2000 Datacenter Server: Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.

Additional information about this patch

Installation platforms:

•	The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 1
•	The Windows NT Server 4.0 patch can be installed on systems running Windows NT Server 4.0 Service Pack 6a.
•	The Exchange Server 5.5 patch can be installed on systems running Exchange Server 5.5 Service Pack 4

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 SP3

Reboot needed: Yes

Superseded patches: None.

Superceding patches: None

Verifying patch installation:

Exchange Server 5.5:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the Exchange Server 5.5 machine: HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange 5.5\SP5\Q289258.
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange 5.5\SP5\Q289258\filelist.

Windows NT Server 4.0:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the Windows NT Server 4.0 machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\310669
•	To verify that the file for this fix has been installed, verify that the version of \WINNT\System32\inetsrv\smtpsvc.dll is 5.5.1877.78 or later.

Windows 2000:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the Windows 2000 machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q313450.
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q313450\Filelist.

Caveats:

During removal (uninstallation) of the Windows NT 4 Option Pack patch, the uninstaller may be unable to re-start the SMTP service. If this occurs, manually stop the IIS Administration service (NET STOP IISADMIN). Then start the IIS Administration service (NET START IISADMIN) and the SMTP service (NET START SMTPSVC).

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section

Other information:

Acknowledgments

Microsoft thanks

•	BindView's RAZOR Team for reporting this issue to us and working with us to protect customers.
•	Mario Kuechler for reporting that NT Server 4.0 is affected as well.

Support:

•	Microsoft Knowledge Base article Q313450 and Q289258 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
•	Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

•	V1.0 (February 27, 2002): Bulletin Created.
•	V2.0 (March 12, 2002): Updated to reflect that the Windows 2000 patch for MS02-012 and MS02-011 are the same.
•	V2.1 (May 09, 2003): Updated download links to Windows Update.
•	V3.0 April 13, 2004: Bulletin updated to advise of the availability of an update for Windows NT Server 4.0 and to advise Exchange Server 5.0 customers on how to better protect themselves.

Top of section

Top of page