Microsoft Exchange OWA deeply-nested folder request denial of service
| exchange-owa-folder-request-dos (7168) |  Medium Risk |
Description:
Microsoft Exchange Server 2000 using the Outlook Web Access (OWA) service is vulnerable to a denial of service attack. If an attacker makes repeated requests for non-existent and deeply-nested mail folders, the attacker could cause the consumption of all CPU availability on the server processing the request. The server would resume normal functionality once the request has completed.
Consequences:
Denial of Service
Remedy:
Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS01-049. See References.
References:
- Microsoft Security Bulletin MS01-049: Deeply-nested OWA Request Can Consume Server CPU Availability.
- BID-3368: Microsoft Exchange OWA Server Resource Starvation Vulnerability
- CVE-2001-0666: Outlook Web Access (OWA) in Microsoft Exchange 2000 allows an authenticated user to cause a denial of service (CPU consumption) via a malformed OWA request for a deeply nested folder within the user's mailbox.
Platforms Affected:
- Microsoft Exchange Server 2000
Reported:
Sep 26, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net