Microsoft Exchange and Windows SMTP Service DoS Vulnerability

Summary:

• This vulnerability affects: All current versions of Exchange Server and many versions of Windows
• How an attacker exploits it: By sending specially crafted network traffic (malicious DNS MX record responses)
• Impact: Multiple impacts, in the worst case an attacker can crash your mail server, preventing you from receiving email
• What to do: Deploy the appropriate Exchange Server or Windows patch as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Microsoft Exchange is one of the most popular email servers used today. Exchange is a stand-alone program, separate from Windows, however, many versions of Windows also ship with a basic SMTP service to receive email as well.

In a security bulletin released today, Microsoft describes two security vulnerabilities that affect all current versions of Exchange, as well as the SMTP service that ships with many versions of Windows. The worst of these flaws has to do with how Exchange handles specially crafted DNS Mail Exchanger (MX) records. Basically, the SMTP service will hang indefinitely when it attempts to parse a specially crafted MX record. In order to exploit this vulnerability, an attacker would have to setup a malicious DNS Server for a domain they controlled. Then the attacker would have to send you an email containing addresses from that domain. When your mail server tries to request the MX record associated with this domain, it encounters the attackers specially crafted MX record, and will hang until you manually reboot it. This results in a Denial of Service (DoS) situation for email.

Microsoft’s bulletin also describes a lower risk information disclosure vulnerability in Exchange. By sending specially crafted SMTP commands, an attacker may be able to retrieve random email fragments from your server’s memory. We recommend you download an install the Exchange and Windows updates as soon as possible, in order to fix both these issues.

Solution Path:

Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Exchange and Windows patches as soon as possible.

• Exchange Server 2000
• Exchange Server 2003
• Exchange Server 2007 w/SP1
• Exchange Server 2007 w/SP2
• Exchange Server 2010
• SMTP Service Update for:
  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
  • Windows Server 2008
  • Windows Server 2008 x64
  • Windows Server 2008 R2 x64

For All WatchGuard Users:

An attacker can exploit the worst of these vulnerabilities by sending normal emails, which you must allow through your firewall if you have an internal email server. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

• MS Security Bulletin MS10-024