Reported October 15, 2003, by Microsoft.

VERSIONS AFFECTED

  • Microsoft Exchange 2000 Server Service Pack 3 (SP3)
  • Exchange Server 5.5 SP4

DESCRIPTION

·         A vulnerability in Exchange Server can result in a Denial of Service (DoS) condition or the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the Internet Mail Service that can permit an unauthenticated attacker to connect to the SMTP port on an Exchange server and issue a specially crafted extended verb request. This scenario can result in the allocation of a large amount of memory and potentially cause a buffer overrun that could permit the attacker to run malicious programs in the security context of the SMTP service.

VENDOR RESPONSE

Microsoft has released security bulletin MS03-046, "Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)," which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

CREDIT

Discovered by Joăo Gouveia.