Microsoft Exchange SMTP extended verb request denial of service
| exchange-smtp-verb-dos (13433) |  Low Risk |
Description:
Microsoft Exchange is vulnerable to a denial of service. By connecting to an SMTP port on the vulnerable Exchange server, a remote attacker could send a specially-crafted extended verb request, which are used to communicate Exchange-specific information among Exchange servers, to cause the server to consume a large amount memory. This could cause the SMTP service to crash or cause the server to stop responding to legitimate requests.
Platforms Affected:
- Microsoft, Exchange Server 5.5
Remedy:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-046. See References.
Consequences:
Denial of Service
References:
- CERT Advisory CA-2003-27, Multiple Vulnerabilities in Microsoft Windows and Exchange at http://www.cert.org/advisories/CA-2003-27.html.
- CIAC Information Bulletin O-005, Microsoft Exchange Server Vulnerabilities at http://www.ciac.org/ciac/bulletins/o-005.shtml.
- Microsoft Security Bulletin MS03-046, Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436) at http://www.microsoft.com/technet/security/bulletin/ms03-046.mspx.
- VulnWatch Mailing List, Wed Oct 22 2003 - 04:13:56 CDT, MS03-046 Microsoft Exchange 2000 Heap Overflow at http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0018.html.
Reported:
Oct 15, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net