Microsoft Exchange Server 2003 fails to assign user credentials to proper mailbox

Overview

A flaw in the authentication mechanism that Microsoft Exchange Server 2003 uses for Outlook Web Access users in some configurations could expose another user’s mailbox.

Description

Outlook Web Access (OWA) is a feature of Microsoft Exchange Server 2003. By using OWA, a server that is running Exchange Server can also function as a Web site that lets authorized users read or send e-mail messages, manage their calendar, or perform other mail functions over the Internet by using a Web browser. Exchange servers providing OWA access can be configured in a front-end/back-end configuration that allows users with mailboxes on multiple servers to connect to a single front-end Exchange server. This front-end server in turn connects (“proxies”) to the appropriate back-end servers where mailboxes are actually stored.

A flaw exists in the way that Hypertext Transfer Protocol (HTTP) connections are reused when NTLM authentication is used between front-end Exchange 2003 servers providing OWA access and running Windows 2000 or Windows Server 2003, and back-end Exchange 2003 servers that are running Windows Server 2003. This flaw may expose a vulnerability in which authenticated users on the system are occasionally and unpredictably connected to another user’s mailbox.

Kerberos is the default authentication mechanism between the Exchange server providing OWA and the back-end Exchange server and the vulnerability is not exposed when this method of authentication is used. However, there may be situations in which a fallback to NTLM authentication between these servers has occurred. According to Microsoft this situation may occur when a Microsoft Internet Information Services (IIS) virtual server is extended with Windows SharePoint Services (WSS). The virtual server is subsequently configured to use Integrated Windows authentication (formerly named NTLM, or Windows NT Challenge/Response authentication) and explicitly disables Kerberos authentication. Alternatively, if WSS has been installed on the same server as an Exchange Server 2003 back-end running Windows Server 2003, Kerberos may have been disabled on the website hosting the Exchange programs.

---

Impact

A victim user’s mailbox may be exposed to another user of the system who has successfully authenticated. The authenticated user would then be able to take any action that the victim user would be authorized to take including reading, sending, and deleting e-mail messages in the victim user’s mailbox . According to Microsoft, an attacker attempting to exploit this vulnerability has no guarantee it will succeed. Even if successful, the particular user mailbox exposed is unpredictable.

---

Solution

Apply a patch from the vendor

Microsoft Corporation has published Microsoft Security Bulletin MS04-002 in response to this issue. Users are encouraged to review this bulletin and apply the patches that it refers to.

---

Workarounds

Microsoft Security Bulletin MS04-002 also describes the following workarounds for this vulnerability:

1.\tDisable HTTP connection reuse on an Exchange Server 2003 front-end server.
By default, Exchange Server 2003 reuses HTTP Connections between front-end and back-end servers to gain improved performance. Connection reuse can be turned off on the Exchange front-end server. Doing so could cause some performance degradation, but it is an effective workaround to this vulnerability. After you apply the update to the Exchange Server 2003 front-end server, you can remove this workaround.

See Microsoft Knowledge Base Article 832749 for information about how to disable HTTP connection reuse on a Microsoft Exchange Server 2003 front-end server.

Impact of workaround: Clients may experience small performance degradation when they use OWA to access their mailboxes.

2.\tEnable Kerberos on the virtual server that hosts OWA on the Exchange Server 2003 back-end server.
The only known way that this vulnerability can be exposed is if Kerberos is disabled on the Internet Information Services virtual server where Outlook Web Access is hosted on the back-end server. This configuration change may occur when Windows SharePoint Services (WSS) 2.0 is installed on the same virtual server.

See Microsoft Knowledge Base Article 832769 for information about how to configure Windows SharePoint Services to use Kerberos authentication.

See Microsoft Knowledge Base Article 823265 for information about how to re-enable OWA and other Exchange components after you install Windows SharePoint Services.

Impact of workaround: None

Sites, particularly those that are unable to apply the patches above, are encouraged to consider implementing these workarounds.

---

Vendor Information

530660

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: November 24, 2003 Updated: January 14, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft Corporation has published Microsoft Security Bulletin MS04-002 in response to this issue. Users are encouraged to review this bulletin and apply the patches that it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23530660 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/exchange/support/e2k3owa.asp&gt;
• <http://www.ciac.org/ciac/bulletins/o-052.shtml&gt;
• <http://www.secunia.com/advisories/10615/&gt;

Acknowledgements

This vulnerability was originally reported by Matthew Johnson in a public forum.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2003-0904
Severity Metric:	2.70 Date Public: