MS-ISAC ADVISORY NUMBER:
2009-006

DATE(S) ISSUED:
2/10/2009

SUBJECT:
Vulnerabilities in Microsoft Exchange Server

OVERVIEW:

Two vulnerabilities have been found in Microsoft Exchange Server (Microsoft's mail server) which could allow an attacker to take complete control of a vulnerable system or cause a Denial of Service (DoS) condition. Successful exploitation of the first vulnerability could result in an attacker gaining the same privileges as the Exchange server service account. Depending on the privileges associated with this service account, an attacker could then install programs; view, change, or delete data; or create new accounts. Successful exploitation of the second vulnerability could result in a Denial of Service condition.

SYSTEMS AFFECTED:

  • Microsoft Exchange Server 2000 Service Pack 3
  • Microsoft Exchange Server 2003 Service Pack 2
  • Microsoft Exchange Server 2007 Service Pack 1

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: N/A

DESCRIPTION:
Two vulnerabilities have been found in Microsoft Exchange Server (Microsoft's mail server) which could allow an attacker to take complete control of a vulnerable system or cause a Denial of Service (DoS) condition.

The first vulnerability is in the way a specially crafted e-mail messages formatted using the Transport Neutral Encapsulation Format (TNEF) are processed by the Microsoft Exchange Server. TNEF is a format used by Microsoft Exchange Server when sending messages formatted as Rich Text Format (RTF). An attacker could exploit these vulnerabilities by sending a specially crafted e-mail message using this format to a Microsoft Exchange user. Successful exploitation of the first vulnerability could result in an attacker gaining the same privileges as the Exchange server service account.

The second vulnerability is in the way the Microsoft Exchange Server handles Messaging Application Programming Interface (MAPI) commands. Successful exploitation of this vulnerability could result in a Denial of Service (DoS) condition.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Apply the principle of Least Privilege to all services.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/ms09-003.mspx(New Window)

Security Focus:
http://www.securityfocus.com/bid/33134(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0098(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0099(New Window)

This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.