| VID |
18039 |
| Severity |
40 |
| Port |
25 |
| Protocol |
TCP |
| Class |
SMTP |
| Detailed Description |
The version of the MS Exchange Server has a buffer overflow vulnerability in IMC's EHLO response.
Microsoft Exchange Server includes a component called Internet Mail Connector (IMC) that allows an Exchange server to communicate with remote SMTP servers. A vulnerability exists in this component that may allow for remote attackers to execute arbitrary code on Exchange servers under specific circumstances.
When the IMC receives an SMTP extended Hello (EHLO) protocol command, which are used to query other servers to obtain a list of supported SMTP operations, it responds by sending a status reply that starts with the following:
250-<Exchange server ID>Hello<Connecting server ID>
A remote attacker using their own DNS server and controlling reverse lookup responses, or employing DNS spoofing techniques, can send a specially-crafted EHLO command that can cause IMC to generate a response that will overflow a buffer. An attacker can use this vulnerability to crash the Exchange Server or gain complete control over a vulnerable server.
* Note: This check item solely relied on the banner of the remote SMTP server to assess this vulnerability.
* References:
http://online.securityfocus.com/bid/5306
http://www.microsoft.com/technet/security/bulletin/MS02-037.asp
Platforms Affected:
* Microsoft Exchange 5.5 |
| Recommendation |
As a workaround, disable reverse DNS lookup on EHLO by setting a registry key as defined in Q190026 : http://support.microsoft.com/default.aspx?scid=kb;EN-US;q190026
To disable reverse DNS lookup
1. Start Registry Editor(Regedt32.exe).
2. Locate the "DisableReverseResolve" value under the following registry key: HKEY_LOCAL_MACHINE\System|CurrentControlSet\Services\MSExchangeIMC\Parameters\
3. On the Edit menu, click Binary, type 1, and then click OK.
4. Quit Registry Editor.
-- OR --
Download and install Microsoft Exchange 5.5 Service Pack 4 or later from Microsoft Security Bulletin MS02-037:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40666 |
| Related URL |
CVE-2002-0698 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
