Software Engineering Institute

As of October 2003, The CERT/CC has begun seeing reports of exploitation. It is possible that an exploit for this vulnerability exists and is being used. Microsoft Released a patch for this issue in February 2002. It is recommended that USERS of Windows 2000 server and Exchange 5.5 apply the patch provided in MS02-011. In addition to exploiting this vulnerability to cause a denial of service, it is reported that the exploit attempts to guess passwords to common accounts on the system, such as administrator and IUSR_machinename. This highlights the importance of selecting strong passwords. For more information about selecting a strong password, we recommend that users review the following section of the Home Computer Security document:

http://www.cert.org/homeusers/HomeComputerSecurity/#6

The vulnearbility is caused due to a problem in the checks performed after a valid NTLM authentication. A remote user that is able to successfully authneticate via NTLM may be able to utilize the SMTP server resources. The attacker would not gain administrative privileges, but could consume CPU resources, or relay mail in violation of the SMTP server's security policy.

The vulnerability is present in SMTP servers shipped with Windows 2000 server, and Exchange 5.5 Internet Mail Connector. It is not present in the SMTP servers shipped with Windows NT 4.0 or Windows XP.

An attacker that is able to authenticate to the SMTP server may be able to relay mail in violation of the SMTP server's security policy, or consume CPU resources on the SMTP server.

Apply a Patch

Microsoft has published patches correcting this vulnerability. The patches are listed in their advisory at:

http://www.microsoft.com/technet/security/bulletin/MS02-011.asp