MS-ISAC ADVISORY NUMBER:
2006-009
DATE(S) ISSUED:
05/09/2006
SUBJECT:
Vulnerability in Microsoft Exchange Server
SYSTEMS AFFECTED:
- Microsoft Exchange Server 2000 Service Pack 3
- Microsoft Exchange Server 2003 Service Pack 1
- Microsoft Exchange Server 2003 Service Pack 2
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: Not Applicable
DESCRIPTION:
Microsoft Exchange Server 2000 SP3 and Exchange Server 2003
are reported to be vulnerable to a remote code execution attack. The
vulnerability stems from the way the Exchange Server processes certain
properties in meeting requests. The two properties are iCal and vCal.
Virtual Calendar (vCAL) and Internet Calendar (iCAL) are MIME content
types used by Microsoft Exchange Server and email clients when sending
and exchanging information related to calendars and scheduling. These
properties of an email meeting request are usually present in a file
called meeting.ics.
An attacker can send a malicious message request or an email with a malicious meeting request (meeting.ics) attached. Once the Exchange Server processes the meeting request, the attacker can take complete control of the server. User interaction is not required and there are no mitigating factors provided by Microsoft for this vulnerability.
Blocking meeting.ics attachments is not a recommended workaround. If blocked, legitimate meeting requests will not be received at all.
Please Note: AT&T Internet Protect has determined that when installing this update, it will affect user mailbox permissions by revoking 'Send As' permission in Exchange which has an impact on third party products such as Blackberry Enterprise Server for Microsoft Exchange. Once applied, users on the Blackberry Enterprise Server will not be able to send email from a Blackberry or Blackberry-enabled device.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply the appropriate patch to vulnerable systems as soon as possible
after appropriate testing. Please take into account the negative impact
this has on Blackberry Enterprise Server for Microsoft Exchange. The
patch is available at: http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
- For resolution of Blackberry Enterprise Server issue, please see
the following knowledge base article provided by Microsoft: http://support.microsoft.com/kb/912918
REFERENCES:
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
CVE-2006-0027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-027
ISS
http://xforce.iss.net/xforce/alerts/id/221
Secunia
http://secunia.com/advisories/20029/
BlackBerry Technical Support Knowledge Base Article
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/8149/8064/Support_-_User_cannot_send_messages_because_the_Send_As_permission_has_been_revoked.html?nodeid=1166052&vernum=8
This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.
-