Microsoft Exchange OWA using RSA Security SecurID authentication bypass

exchange-owa-securid-bypass (8681) The risk level is classified as LowLow Risk

Description:

Microsoft Exchange Server could allow remote attacker to access an OWA account without authenticating with SecurID. If a remote attacker authenticates using SecurID and logs into an email account through OWA as the same user that has been authenticated using SecurID, the attacker could log out of the primary email account and log into a different OWA account without having to re-authenticate using SecurID. An attacker could exploit this vulnerability by performing multiple login attempts to OWA after the initial error message has been displayed that notifies the user that the SecurID and NT username does not match.

Note: In addition to requiring a valid SecurID token, the attacker would also need more than one valid NT username and password to exploit this vulnerability.

Platforms Affected:

  • Microsoft, Exchange Server 2000
  • Microsoft, Exchange Server 5.5
  • RSA, SecurID Web Agent 5

Remedy:

No remedy available as of July 4, 2009.

Consequences:

Bypass Security

References:

  • BugTraq Mailing List, Thu Mar 28 2002 - 03:58:58 CST, Authentication with RSA SecurID and Outlook web access at http://archives.neohapsis.com/archives/bugtraq/2002-03/0354.html.
  • BID-4390: Microsoft Outlook Web Access with RSA SecurID Authentication Bypass Vulnerability
  • CVE-2002-0507: An interaction between Microsoft Outlook Web Access (OWA) with RSA SecurID allows local users to bypass the SecurID authentication for a previous user via several submissions of an OWA Authentication request with the proper OWA password for the previous user, which is eventually accepted by OWA.

Reported:

Mar 28, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page