There’s a new Exchange security update (MS05-021) out; there is a potential for remote code execution. There are updates for:
- Exchange 2000 Server Service Pack 3 (update of MS04-035)
- Exchange Server 2003
- Exchange Server 2003 Service Pack 1
Exchange 5.0 and 5.5 are not affected.
The flaw allows remote SMTP sessions to run code in the context of the SMTP service if they exploit a buffer overflow in the proprietary Exchange X-LINK2STATE SMTP extension. On Exchange 2003, the vulnerability cannot be executed by anonymous users; attackers must be authenticated (and according to the bulletin) would need to be granted a level of trust normally given to other Exchange servers in the organization. The Exchange 2000 hotfix updates the level of authentication that Exchange requires.
ISA 2000 and ISA 2004 SMTP filtering/SMTP publishing can help mitigate this flaw, as will disallowing connections from anonymous SMTP sessions (this will, of course, prevent the bulk of incoming external SMTP mail). According to KB 812455, the X-LINK2STATE verb only requires a single reply and the maximum size for both is 1,024 bytes, which seems to fit the critera listed in Using the ISA Server 2004 SMTP Filter and Message Screener for allowing the addition of the X-LINK2STATE verb to ISA 2004 SMTP filter. [Editor: I have not tested this approach; if anyone knows of a reason why it won’t work, please let me know via the comments.]
The bulletin also gives a procedure to un-register the XLASINK.DLL, which prevents updates of link state information over SMTP and requires Exchange to fallback to Active Directory for routing information. Because the flaw is in an Exchange SMTP extension, the underlying IIS SMTP service is not affected.
Get this now and apply it to your Internet-facing Exchange servers. Issues like this, by the way, are an excellent reason for not using Exchange on the edge of your organization, or for heavily restricting which SMTP extensions are active on your edge Exchange machines. If you’re running MSBA 1.2.1, you’ll be alerted about this patch. [Editor: Am I the only one who wishes that Microsoft would start linking some of the excellent tools they’ve got out there, like ExBPA and MBSA, without requiring MOM as a full-fledged management framework?]
Update: Thanks to the message forums at Tom Shinder’s isaserver.com site for all things ISA, I found out about the ISA Server Preventative Measures page at Microsoft. It gives clear, simple directions on configuring ISA to block a number of threats, including this brand-new paper on blocking MS05-021.