Article ID: 310669
Article Last Modified on 3/29/2007
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Exchange Server 5.5 Standard Edition
- Microsoft Exchange Server 5.5 Service Pack 1
- Microsoft Exchange Server 5.5 Service Pack 2
- Microsoft Exchange Server 5.5 Service Pack 3
- Microsoft Exchange Server 5.5 Service Pack 4
- Microsoft Windows NT version 4.0 Option Pack
This article was previously published under Q310669
SYMPTOMS
A vulnerability exists in the Simple Mail Transfer Protocol (SMTP) service that is included with Windows 2000, the Windows NT 4.0 Option Pack, and Exchange Server 5.5.
Note The SMTP service included in the Windows NT 4.0 Option Pack is the same service that is used by Microsoft Commercial Internet Server (MCIS). The MCIS product is no longer supported. Microsoft cannot offer support for issues pursuant to application of this fix to an MCIS installation.
This vulnerability could allow an unauthorized user to consume resources (such as by relaying mail) without authorization. This vulnerability could allow an attacker to disguise the origination point of an e-mail message or to co-opt a server's resources for mass mailings.
This vulnerability does not apply to Exchange Server 5.0 because Exchange Server 5.0 cannot allow or deny relay based on authentication. A workaround for Exchange Server 5.0 is provided in the "Workaround" section of this article.
This vulnerability is subject to the following constraints:
- The vulnerability does not grant administrative permissions to the service, nor does it grant the attacker the ability to run programs or operating system commands.
- Mail servers that run Microsoft Exchange 2000 Server are not affected by this vulnerability.
An SMTP service is included with Windows 2000 and is installed by default. Exchange 2000 Server extends the Windows 2000 SMTP service, but the component that performs authentication is different from the base SMTP service in Windows 2000 and is not affected by the vulnerability.
CAUSE
This vulnerability occurs because of an authentication error in the SMTP service that is installed as part of the Windows NT 4.0 Option Pack, the Microsoft Internet Information Services (IIS) in Windows 2000, or the Internet Mail Connector (IMC) in Exchange Server 5.5. An unauthorized user could be authenticated and to use the server for relaying mail.
RESOLUTION
Windows 2000
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this hotfix now.
To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The following file is available for download from the Microsoft Download Center:
![[GRAPHIC: Download]](/wiki/index.php?title=File:Download.gif){kind=small}
Release Date: February 27, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Note This update also corrects the vulnerability that is described in the following Microsoft Knowledge Base article:
313450 MS02-012: A Malformed Data Transfer Request May Cause the Windows SMTP Service to Stop Working
The English version of this hotfix should have the following file attributes or later:
Date Time Version Size File name
--------------------------------------------------------
05-Feb-2002 11:05 5.0.2195.4624 321,296 Aqueue.dll
05-Feb-2002 11:05 5.0.2195.4777 333,072 Asp.dll
05-Feb-2002 11:05 5.0.2195.3649 299,792 Fscfg.dll
05-Feb-2002 11:05 5.0.2195.4624 8,464 Ftpctrs2.dll
05-Feb-2002 11:05 5.0.2195.4624 6,416 Ftpmib.dll
05-Feb-2002 11:05 5.0.2195.4624 9,488 Httpmib.dll
05-Feb-2002 11:05 5.0.2195.4624 13,584 Infoadmn.dll
05-Feb-2002 11:05 5.0.2195.4624 246,032 Infocomm.dll
05-Feb-2002 11:05 5.0.2195.4624 62,736 Isatq.dll
05-Feb-2002 11:05 5.0.2195.4624 66,832 Mailmsg.dll
05-Feb-2002 11:05 5.0.2195.4624 38,160 Ntfsdrv.dll
04-Feb-2002 16:29 5.0.2195.4905 438,544 Smtpsvc.dll
05-Feb-2002 11:05 5.0.2195.4624 7,440 W3ctrs.dll
Note Because of file dependencies, this update requires Windows 2000 Service Pack 2.
Exchange Server 5.5
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this hotfix now.
To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Note This update also corrects the problems that are described in the following Microsoft Knowledge Base article:
289258 XGEN: Exchange Server 5.5 Post-Service Pack 4 Internet Mail Service fixes available
The English version of this hotfix should have the following file attributes or later.
For the SMTP service component:
File name Version
-------------------------
Imcmsg.dll 5.5.2655.55
Msexcimc.exe 5.5.2655.55
Note Because of file dependencies, this hotfix requires Exchange Server 5.5 Service Pack 4.
Windows NT 4.0 Option Pack
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this hotfix now.
To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The following file is available for download from the Microsoft Download Center:
Release Date: April 13, 2004
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Note This update also corrects the vulnerability that is described in the following Microsoft Knowledge Base article:
313450 MS02-012: A malformed data transfer request may cause the Windows SMTP service to stop working
The English version of this hotfix should have the following file attributes or later.
For the SMTP service component:
File name Version ------------------------- Smtpsvc.dll 5.5.1877.78
Note Because of file dependencies, this hotfix requires Windows NT 4.0 Service Pack 6a.
Note Microsoft also recommends that you install all subsequent critical fixes for Windows NT 4.0 before you apply this SMTP fix.
WORKAROUND
Exchange Server 5.0 Workaround
Exchange 5.0 does not have relay filtering capabilities. To turn off mail relay in Exchange 5.0, you must turn on or turn off SMTP globally for all connections, authenticated or unauthenticated.
In Exchange 5.5, new functionality was added to turn on SMTP routing for authenticated connections only. This new capability had the effect of turning on SMTP routing for authenticated users and turning it off for everyone else.
Microsoft recommends that you do not connect an Exchange 5.0 Internet Mail Connector directly to the Internet unless you turn off SMTP routing. If you do not follow this recommendation, it is likely that your Exchange 5.0 Internet Mail Connector server will soon be discovered to be an open relay. This means it may be used by spammers (that is, people who send junk e-mail messages) to send messages. Your SMTP domain may also be added to block lists. This would prevent your domain from communicating with most other mail servers on the Internet.
To turn off SMTP routing, use Exchange Administrator. Double-click the Internet Mail Connection object, click the Routing tab, and then click Do not re-route incoming SMTP mail. This configuration change will not take effect until the Internet Mail Service is restarted.
If you turn off SMTP routing, clients who connect to your Exchange server through the POP3 protocol cannot send e-mail messages except to other users in your own SMTP domain. This includes all Outlook Express clients. Clients who use the MAPI protocol (Outlook users) are not affected.
STATUS
Windows 2000
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Windows 2000.
Exchange 5.5
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Exchange Server version 5.5.
Windows NT 4.0 Option Pack
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows NT 4.0 Option Pack SMTP service.
For additional information about this vulnerability, visit the following Microsoft Web site:
Additional query words: security_patch
Keywords: kbbug kbfix kbwin2000presp3fix kbsecvulnerability kbqfe kbwin2000sp3fix kbsecurity kbexchange550presp5fix kbsecbulletin kbsechack kbhotfixserver KB310669
