CERTVU:111947Microsoft Exchange Outlook Web Access fails to authenticate users when searching the Global Address List
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.015 Low
EPSS
Percentile
86.8%
Overview
Microsoft Exchange servers that offer the Outlook Web Access service are vulnerable to an information disclosure vulnerability that can reveal any email address stored in the Global Address List.
Description
The Outlook Web Access (OWA) component of Microsoft Exchange allows users to access their email with a web browser, obviating the need for a standalone email client. This functionality is implemented with several ASP scripts that allow users to perform typical tasks such as reading, composing, and managing mail messsages. Most of these functions require users to authenticate to the application, thereby protecting the content of the messages. However, the ASP script used by OWA to search the Global Address List (GAL) does not require authentication, which presents an information disclosure vulnerability. By writing custom ASP scripts that bypass the authenticated components of OWA, it is possible for an attacker to learn any email address stored within the GAL.
Impact
Attackers can exploit this vulnerability to perform unauthenticated searches on sensitive contact information. For example, an attacker could obtain a user’s email address by searching on their name.
Solution
Apply a patch from your vendor
Microsoft has released a patch to address this vulnerability; For more information, please consult the vendor information section below.
Disable Outlook Web Access
Microsoft has reported that this vulnerability affects Exchange 5.5 servers running the OWA service. If your local policies prevent the immediate installation of the patch recommended by Microsoft, it is possible to work around this vulnerability by disabling OWA.
Vendor Information
111947
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft __ Affected
Notified: August 22, 2001 Updated: September 12, 2001
Status
Affected
Vendor Statement
Microsoft has addressed this vulnerability in the following Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/MS01-047.asp
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has archived Microsoft’s announcement of MS01-047 at
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.microsoft.com/technet/security/bulletin/ms01-047.asp>
- <http://www.securiteam.com/windowsntfocus/5WP091P5FQ.html>
- <http://www.securityfocus.com/bid/3301>
Acknowledgements
The CERT/CC thanks Joseph Steinberg of Whale Communications for reporting this vulnerability.
This document was written by Jeffrey P. Lanza.
Other Information
| CVE IDs: | CVE-2001-0660 |
|---|---|
| Severity Metric: | 6.62 Date Public: |
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.015 Low
EPSS
Percentile
86.8%