HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-24
Multiple Vulnerabilities in Microsoft Exchange

Original Issue Date:February 11, 2009

Severity Rating: High

Systems Affected

  • Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004
  • Microsoft Exchange Server 2003 Service Pack 2
  • Microsoft Exchange Server 2007 Service Pack 1 (32-bit and x64-based editions)

Overview

Multiple vulnerabilities have been reported in various versions of Microsoft Exchange Server. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code and take complete control of the affected system with Exchange Server service account privileges or could allow Denial of Service.

Description

 Transport Neutral Encapsulation (TNEF) is a format used by the Microsoft Exchange Server when sending messages formatted as Rich Text Format (RTF). When Microsoft Exchange is sending a message to another Microsoft e-mail client, it extracts all the formatting information and encodes it in a special TNEF block. It then sends the message in two parts: the text message with the formatting removed, and the formatting instructions in the TNEF block. On the receiving side, a Microsoft e-mail client processes the TNEF block and re-formats the message.

MAPI is a set of functions that mail-enabled and mail-aware applications use to create, manipulate, transfer, and store mail messages. It gives application developers the tools to define the purpose and content of mail messages and gives them flexibility in their management of stored mail messages. It also provides a common interface that application developers can use to create mail-enabled and mail-aware applications independent of the underlying messaging system.

Electronic Messaging System Microsoft Data Base, 32 bit build (EMSMDB32) provider refers to the Exchange Transport provider which implements both a transport and a message store provider for MAPI. It provides the ability to submit messages to Exchange Server and to read (and possible write) messages to an Exchange store.

The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange. The System Attendant service performs numerous functions related to the ongoing maintenance of the Exchange system, such as address lists, offline address book generation, and directory lookup facilities.

1. Memory Corruption Vulnerability (CVE-2009-0098)

This is a remote code execution vulnerability which is caused because Exchange Server does not properly decode TNEF data within e-mail messages.

An attacker could exploit this vulnerability by sending a malicious e-mail message to the Exchange Server. When the Microsoft Exchange Server Information Store attempts to process the message, an exploitable memory corruption error may occur. The attacker could leverage the memory corruption to execute arbitrary code on the affected system with the permissions of the Exchange Server service account and take complete control of the affected system.

2. Literal Processing Vulnerability (CVE-2009-0099)

This is a Denial of Service vulnerability which is caused due to insufficient sanitization of invalid MAPI commands handled by systems using the EMSMDB32 provider.

An attacker could exploit this vulnerability by sending an invalid MAPI command to the application or service that uses the EMSMDB32 provider. The processing of the MAPI command could cause Exchange or the related System Attendant service to become unresponsive, resulting in a DoS condition.

Successful exploitation of this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-003

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx

References

 Secunia
http://secunia.com/advisories/33838/

Security Tracker
http://www.securitytracker.com/alerts/2009/Feb/1021700.html
http://www.securitytracker.com/alerts/2009/Feb/1021701.html

SecurityFocus
http://www.securityfocus.com/bid/33134

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=17550
http://tools.cisco.com/security/center/viewAlert.x?alertId=17551

VUPEN
http://www.vupen.com/english/advisories/2009/0390

CVE Name
CVE-2009-0098
CVE-2009-0099

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003