MS-ISAC Advisory #2006-009 (05/09/2006) - Vulnerability in Microsoft Exchange Server -

MS-ISAC ADVISORY NUMBER:
2006-009

DATE(S) ISSUED:

05/09/2006

SUBJECT:
Vulnerability in Microsoft Exchange Server

OVERVIEW:

On May 9, 2006, Microsoft reported that a vulnerability exists in several versions of Microsoft Exchange Server. An attacker can send a specially-crafted calendar message which when processed by the Exchange server will allow the attacker to take complete control of the vulnerable system.

SYSTEMS AFFECTED:

Microsoft Exchange Server 2000 Service Pack 3
Microsoft Exchange Server 2003 Service Pack 1
Microsoft Exchange Server 2003 Service Pack 2

RISK:

Government:

Large and medium government entities: High

Small government entities: High

Businesses:

Large and medium business entities: High

Small business entities: High

Home users: Not Applicable

DESCRIPTION:
Microsoft Exchange Server 2000 SP3 and Exchange Server 2003 are reported to be vulnerable to a remote code execution attack. The vulnerability stems from the way the Exchange Server processes certain properties in meeting requests. The two properties are iCal and vCal. Virtual Calendar (vCAL) and Internet Calendar (iCAL) are MIME content types used by Microsoft Exchange Server and email clients when sending and exchanging information related to calendars and scheduling. These properties of an email meeting request are usually present in a file called meeting.ics.

An attacker can send a malicious message request or an email with a malicious meeting request (meeting.ics) attached. Once the Exchange Server processes the meeting request, the attacker can take complete control of the server. User interaction is not required and there are no mitigating factors provided by Microsoft for this vulnerability.

Blocking meeting.ics attachments is not a recommended workaround. If blocked, legitimate meeting requests will not be received at all.

Please Note: AT&T Internet Protect has determined that when installing this update, it will affect user mailbox permissions by revoking 'Send As' permission in Exchange which has an impact on third party products such as Blackberry Enterprise Server for Microsoft Exchange. Once applied, users on the Blackberry Enterprise Server will not be able to send email from a Blackberry or Blackberry-enabled device.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply the appropriate patch to vulnerable systems as soon as possible after appropriate testing. Please take into account the negative impact this has on Blackberry Enterprise Server for Microsoft Exchange. The patch is available at: http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
For resolution of Blackberry Enterprise Server issue, please see the following knowledge base article provided by Microsoft: http://support.microsoft.com/kb/912918

REFERENCES:

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx

CVE-2006-0027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-027

ISS
http://xforce.iss.net/xforce/alerts/id/221

Secunia
http://secunia.com/advisories/20029/

BlackBerry Technical Support Knowledge Base Article
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/8149/8064/Support_-_User_cannot_send_messages_because_the_Send_As_permission_has_been_revoked.html?nodeid=1166052&vernum=8

This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.

MS-ISAC

Multi-State Information Sharing and Analysis Center

Alert Level: