Microsoft Exchange
While researching the fixes issued by Microsoft in Microsoft's Security
Bulletin MS10-024
[http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx]
published April 13, 2010 Nicolas Economou discovered two vulnerabilities
in Windows SMTP Service and Microsoft Exchange . These vulnerabilities
were fixed by the patches referenced in MS10-024 but were not disclosed
in the vendor's security bulletin and did not have an unique
vulnerability identifier assigned to them. As a result, the guidance and
the assessment of risk derived from reading the vendor's security
bulletin may overlook or misrepresent actual threat scenarios.
Severity Rating: CVSS v2 Base Score: 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)
Affected products:
EMC SW: EMC SourceOne Email Management for Microsoft Exchange 6.5.2.3668 (SP2 HF3) and earlier
EMC SW: EMC SourceOne Email Management for Notes/Domino 6.5.2.3668 (SP2 HF3) and earlier
EMC SW: EMC SourceOne Email Management for Microsoft Exchange 6.6.0.1209 (HF1) and earlier
The following Networker products are affected by this issue:
* NetWorker Server, Storage Node and Client 7.3.x and 7.4, 7.4.1, 7.4.2
* NetWorker Client and Storage Node for Open VMS 7.3.2 ECO6 and earlier
* NetWorker Module for Microsoft Exchange 5.1 and earlier
* NetWorker Module for Microsoft Applications 2.0 and earlier
* NetWorker Module for Meditech 2.0 and earlier
* NetWorker PowerSnap 2.4 SP1 and earlier
The following Networker products contain resolutions to this issue:
- Kaspersky® Anti-Virus for Windows Server
- Kaspersky® Anti-Virus for Windows Server Enterprise Edition
- Kaspersky® Anti-Virus for Novell NetWare
- Kaspersky® Anti-Virus for Linux File Server
- Kaspersky® Anti-Virus for Samba Server
- Kaspersky® Security for Microsoft Exchange 2007
- Kaspersky® Security for Microsoft Exchange 2003
- Kaspersky® Anti-Virus for Lotus Notes/Domino
- Kaspersky® Anti-Virus for Windows Workstation
- Kaspersky® Anti-Virus for Linux Workstation
- Kaspersky® Anti-Virus for Linux Mail Server
iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.
V. WORKAROUND
It is possible to disable the PDF Distiller, which will prevent the
iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.
V. WORKAROUND
It is possible to disable the PDF Distiller, which will prevent the
iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.
V. WORKAROUND
It is possible to disable the PDF Distiller, which will prevent the
3) Vendor's Description of Software
Symantec Backup Exec 11d for Windows Servers is the gold standard in
Windows data recovery, providing cost-effective, high-performance, and
certified disk-to-disk-to-tape backup and recovery?with available
continuous data protection for Microsoft Exchange, SQL, file servers,
and workstations. High-performance agents and options provide fast,
flexible, granular protection and recovery, and scalable management of
local and remote server backups."
Product Link:
access. Once these approvals are obtained, Identity Manager will
automatically create user accounts allowing the new employee to do his
or her job. This may include creating the user account for the new
employee in the company's HR systems (PeopleSoft), giving him or her
access to ERP applications (SAP) and/or creating an email account
(Microsoft Exchange). If the employee changes roles in the company,
Identity Manager will update the user account and provide access to the
necessary resources required in that new role. When an employee leaves
the company, Identity Manager automatically removes his or her user
accounts to prevent access. By using Identity Manager, the entire
provisioning and deprovisioning process can be automated--saving the
iDefense confirmed the existence of this vulnerability using the
following versions of the affected software:
kvolefio.dll version 8.5.0.8339, distributed with IBM Lotus Notes 8.5
kvolefio.dll version 10.5.0.0, distributed with Symantec Mail Security
for Microsoft Exchange
All versions of the KeyView SDK that include the "kvolefio.dll" library
are suspected to be vulnerable. All applications that utilize
Autonomy's KeyView SDK to process untrusted content are also believed
to be vulnerable. A full list of vulnerable Symantec products can be
Affected Software:
NetWorker Server, Storage Node and Client 7.4 SP3
NetWorker Server, Storage Node and Client 7.3 SP4 build 565
NetWorker Client and Storage Node for Open VMS 7.3.2 ECO7
NetWorker Module for Microsoft Exchange 5.1 SP1
NetWorker Module for Microsoft Applications 2.1
NetWorker Module for Meditech 2.0 SP1
NetWorker PowerSnap 2.4 SP2
Additional Information:
following versions of the affected software:
xlssr.dll version 8.0.0.7214, distributed with IBM Lotus Notes 8.0
xlssr.dll version 8.5.0.8339, distributed with IBM Lotus Notes 8.5
xlssr.dll version 10.5.0.0, distributed with Symantec Mail Security
for Microsoft Exchange
All versions of the KeyView SDK that include the "xlssr.dll" filter
module are suspected to be vulnerable.
V. WORKAROUND
Affected Products
=================
Cisco Unity is a voice and unified messaging platform. Cisco Unity can
be configured to interoperate with Microsoft Exchange or IBM Lotus
Domino enabling users to access e-mail, voice, and fax messages from a
single inbox.
Vulnerable Products
+------------------
#############################################################
Introduction:
-------------
The vulnerability found targets the Outlook Web Access application
for Microsoft Exchange 2003. A valid user can be redirected to a
malicious website when clicking on a specially crafted URL which can
be sent to the user by email. If the user is logged in,
he is redirected instantly - if he is not logged in yet, the login page
will be displayed and he will be redirected after successful login.
This vulnerability can be used to redirect the user to a phishing
> #############################################################
>
> Introduction:
> -------------
> The vulnerability found targets the Outlook Web Access application
> for Microsoft Exchange 2003. A valid user can be redirected to a
> malicious website when clicking on a specially crafted URL which can
> be sent to the user by email. If the user is logged in,
> he is redirected instantly - if he is not logged in yet, the login page
> will be displayed and he will be redirected after successful login.
> This vulnerability can be used to redirect the user to a phishing
"The Award-winning IMail Server is a proven email messaging solution for small and mid-sized businesses.
Reliable, scalable and versatile, IMail Server is an affordable choice that meets the messaging needs
of small and medium sized businesses. Unlike complicated and more expensive messaging solutions, IMail
Server delivers a quick and easy installation. As a scalable, standards-based, email server with Webmail,
optional integration with Microsoft Exchange ActiveSync(r), SMTP, POP, IMAP, LDAP, and List Server, IMail
users can send and receive email using any standards-based client, including Microsoft Outlook(r),
Outlook Express(r), or Eudora(r). Or, users can access email from anywhere via IMail's customizable Web
messaging, available in eight languages.
Designed to place minimal ongoing maintenance burden on network administrators, IMail can authenticate
- F-Secure Anti-Virus for Windows Servers 8.00 and earlier
- F-Secure Linux Security 7.02 and earlier
- F-Secure Anti-Virus Linux Client Security 5.54 and earlier
- F-Secure Anti-Virus Linux Server Security 5.54 and earlier
- F-Secure Anti-Virus for Linux Servers 4.65
- F-Secure Anti-Virus for Microsoft Exchange 8.00 and earlier
- F-Secure Internet Gatekeeper for Windows 6.61 and earlier
- F-Secure Internet Gatekeeper for Linux 3.02 and earlier
- F-Secure Internet Gatekeeper for Linux Japanese 2.37 and earlier
- F-Secure Anti-Virus for Citrix Servers 7.00 and earlier
- F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
----------------------
Novell GroupWise is a complete collaboration software solution that
provides information workers with e-mail, calendaring, instant
messaging, task management, and contact and document management
functions. The leading alternative to Microsoft Exchange, GroupWise
has long been praised by customers and industry watchers for its
security and reliability.
http://www.novell.com/products/groupwise/
Affected products :
~~~~~~~~~~~~~~~~~~~
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
- Symantec AntiVirus for Messaging
will be triggered. Upon successful exploitation, the attacker will gain
the privileges of the "GoodAdmin" user. This is a special user account
which, in some configurations, may be a member of the "Administrator"
group. Regardless of the user's "Administrator" status, the user will
always have full privileges to "Read" and "Send As" all users on the
Microsoft Exchange server. This could allow an attacker to conduct
further social engineering attacks.
Other software packages using Outside In were not investigated.
It is interesting to note that this vulnerability was fixed some time
vulnerable condition will be triggered. Upon successful exploitation,
the attacker will gain the privileges of the "GoodAdmin" user. This is
a special user account which, in some configurations, may be a member
of the "Administrator" group. Regardless of the user's "Administrator"
status, the user will always have full privileges to "Read" and "Send
As" all users on the Microsoft Exchange server. This could allow an
attacker to conduct further social engineering attacks.
Other software packages using Outside In were not investigated.
IV. DETECTION
will be triggered. Upon successful exploitation, the attacker will gain
the privileges of the "GoodAdmin" user. This is a special user account
which, in some configurations, may be a member of the "Administrator"
group. Regardless of the user's "Administrator" status, the user will
always have full privileges to "Read" and "Send As" all users on the
Microsoft Exchange server. This could allow an attacker to conduct
further social engineering attacks.
Other software packages using Outside In were not investigated.
IV. DETECTION
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Transport Neutral Encapsulation Format (TNEF) is a proprietary e-mail
attachment format used by Microsoft Outlook and Microsoft Exchange
Server. A plugin [3] for Evolution exists that provides basic support
for TNEF encoded e-mails. This plugin uses the ytnef library [4]
(libytnef) for processing TNEF messages. It borrows code from the ytnef
program, which is a program to work with procmail to decode TNEF streams
(winmail.dat attachments). Both applications share (almost) code and
whats on both sides of the buffer you read past, so I can potentially
corrupt the integrity of the image you made, and thats even I can't grab
control of eip through you're bad read.
> 3. Corrupted Microsoft Exchange database crashes EnCase during multi-threaded search/analysis concurrent to acquisition
>
> Response: The report discloses that this particular anomaly occurred only when every single check box was selected in the search dialogue box, including the search, hash value calculation and verify file signatures features. This means that EnCase was directed to acquire an Exchange database and perform a detailed multi-threaded search and analysis of the data at the same time. This procedure is extremely inconsistent with best practices and akin to opening several hundred files in a word processing program, which of course would cause a memory overload.
So, you have options that you don't expect customers to select? If this is
such a problem, why do you allow all of the options to be selected at the
will be triggered. Upon successful exploitation, the attacker will gain
the privileges of the "GoodAdmin" user. This is a special user account
which, in some configurations, may be a member of the "Administrator"
group. Regardless of the user's "Administrator" status, the user will
always have full privileges to "Read" and "Send As" all users on the
Microsoft Exchange server. This could allow an attacker to conduct
further social engineering attacks.
Other software packages using Outside In were not investigated.
IV. DETECTION
|
