MS-ISAC ADVISORY NUMBER:
2007-011 Updated

DATE(S) ISSUED:
5/8/2007 - Updated

SUBJECT:
Vulnerabilities in Microsoft Exchange Server

OVERVIEW:
Four vulnerabilities have been found in Microsoft Exchange Server which could allow malicious users to cause a denial of service and in some cases allow the attacker to take complete control of the vulnerable system. All of these vulnerabilities can be exploited by sending a specially crafted malicious email to an account on a vulnerable Microsoft Exchange Server. This is particularly important because no user action is required to exploit this vulnerability. Additionally, one of these vulnerabilities, if successfully exploited, can allow an attacker to remotely execute commands which then gives the attacker the ability to take complete control of the affected system.

SYSTEMS AFFECTED:

  • Microsoft Exchange Server 2000 Service Pack 3
  • Microsoft Exchange Server 2003 Service Pack 1
  • Microsoft Exchange Server 2003 Service Pack 2
  • Microsoft Exchange Server 2007

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: Med

Home users: Not Applicable

DESCRIPTION:
Microsoft has released a security bulletin which states that Microsoft Exchange is vulnerable to malformed e-mail messages which contain malicious Outlook Web Access (OWA) script-based attachments. An attacker must first send the e-mail message with the attached script to the victim. The victim must then run the script for the vulnerability to be successful. An attached script could spoof content, disclose information, or take any action that the user could take within the context of the OWA session. These actions could include monitoring the user's Web session and forwarding information to a third party, running other code on the user's system, and reading or writing cookies.

In the same security bulletin, Microsoft released information on vulnerabilities in the way that Exchange server handles specially crafted e-mails containing malformed Internet Calendar (iCal), Multipurpose Internet Mail Extensions (MIME), and Internet Message Access Protocol (IMAP) files. An attacker could exploit these vulnerabilities by sending a specially crafted e-mail message containing these files to an Exchange server user account. An attacker successfully exploiting these vulnerabilities could cause the mail server to stop responding, thus creating a denial-of-service. If the malicious file is of the MIME type, the attacker could take complete control of the Exchange server. It should be noted that no user interaction is required and there are no mitigating factors provided by Microsoft for this vulnerability.

RECOMMENDATIONS:
We recommend the following actions be taken:

REFERENCES:
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS07-026.mspx(New Window)

CVE-2007-026
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-026(New Window)

Secunia
http://secunia.com/advisories/25183/(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.