Slashdot Mirror
Mail Server Flaw Opens MS Exchange to Spam
bl8n8r writes: "
Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.
There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.
YES!!! More ammo to convice my IT department to upgrade exchange so I can connect the Ximian Evolution calendar to it. It's the last hurtle between me and 100% linux on the desktop at work.
Ensure? Insure? Do both work now? Apparently dictionary.com says so.
Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.
Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.
Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," ......... The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled.
Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.
Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.
Was code red really just a tool for spammers?
----
Squirrel
What sort of IT group decides to run their Exchange environment unprotected on the internet?
I'm working for a company that's deeply in MS's back pocket -- we use Windows *everything*, including Exchange. Our SMTP gateway? Postfix on Linux. Sure, I'd rather it was OpenBSD, but whatever -- it's still not Exchange.
The bloatier the app, the harder it is to ensure it's secure. These are probably the same sort of people who run SQL Server on an unfirewalled system and are then shocked someone managed to hack into it.
It's an issue. But Microsoft is saying it's not a big one.
Open realys are not a big problem? Right.
What Microsoft really means we are making money on it so it's not a problem shut up and go away and leave us alone.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
Turn off Guest!
Windows becomes more like *nix every day!
Windows would actually be a decent product if Microsoft could successfully copy the good unix stuff instead of doing perfect copies of it's flaws and flawed copies of the stuff that works.
To know that you know what you know, and that you do not know what you do not know, that is true wisdom. --Scooby Doo
To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.
Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "
Maybe you're confusing qmail with a poorly configured, non-DJB-endorsed SMTP AUTH layer?
If thats not the case, well, what you're saying makes no sense.
Since M$ windows will not allow you to delete the guest account (or administrator) it is standerd practis,
after disabeling guest to rename both accounts to somthing hard to guess.
It might shock you but on my Linux boxes the superuser is not called 'root' either.
As of Postgres v6.2, time travel is no longer supported.
this issue was never really resolved for exchange 5.5.. but it is simply resolved in 2000 which is detailed here
If you are running Exchange 5.5 you shouldn't be wasting time locking it down... Your hours would be better spent opening ports on your firewall or something, because 5.5 is so old and underupdated that it more efficient to work on a new mail server with new software.
- what is the definition of simultanagnosia?! I've been meaning to look it up!
Here I thought /. was the source for fair and balanced coverage.
Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.
Turns out its actually a problem in SMTP's RFC
Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?
Tubal-Cain smokes the white owl.
This is like asking why default passwords exist. It boggles the mind how many users have their default Win2k Administrator account password set to "Admin".
The system should at least make you do a security question, or *something*. Even "type your last name to gain Administrator access" would be more secure than "Admin".
The bottom line is, any sysAdmin who buys a software package because it's got a "security guarrentee" needs to be hit in the face with a hammer, repeatedly.
...and I run multiple Exchange boxen in multiple locations. ...of course I wouldn't do anything so clueless as leave the relays open or leave the default guest account active.
As far as open relays go, it actually pains me to have to close them off. I'd rather leave them open and help people out when their ISPs are dicking them around. Unfortunately a few assholes are ruining it for everyone else.
You're using her as bait, Master!
This is either the second, third or forth time in the past 24 months that Microsoft has said the security is a top priority.
But, then again, this is the same company that testified under oath that reveling the Windows source code would harm the National Security of the US. Then they licensed the source code to China.
Perhaps instead of spending a fortune to "innovate" a matrix knockoff (how original) they could spend some money on making secure software.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
This is silly, exchange 5.5 and exchange 2000 don't ship with "allow users to relay if they authenticate regardless of if they are in this list" checked by default. Systems Administrators need to enable that feature specifically.
Also, The guest account is disabled by default.
Saying exchange servers may be relaying because of this 'bug' is like saying linux is insecure because you can set a blank root password and enable sshd to accept connections as root.
If your server has been compromised and you don't take adequate steps to clean it up after that there is the potential that it is still vulnerable.
Mmmm.. Donuts
The effect of articles like this is making true, realisitic criticism of MS security by Unix users look like the same kind of bullshit we see here.
The problem has nothing to do with Exchange, or SMTP itself. It has to do with SMTP AUTH -- an extension that allows clients to authenticate themselves. This allows a roaming client (connecting from anywhere) to authenticate via username and password, and they are then given relaying rights as if they were directly on the ISPs network.
The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more. Once the spammer is 'authenticated' they are free to relay. They could have also guessed any real user's password, the effect would be the same.
Why don't we have articles titled "servers with no passwords vulnerable to attack" -or- "servers with backdoors subject to further compromise"?
:-)
I just submitted these...stay tuned
I'm all for kicking a company when they deserve it but yet again I feel this Microsoft bashing episode is another beefed up piece of CNET pseduo FUD disguised as news. I'm sick of the way they trump up the Windows vs. *Nix wars - it brings in readers (baaaaa).
I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).
We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.
My 2 cents...
This is an SMTP AUTH problem and any mail server which permits relaying using SMTP AUTH and doesn't filter by source IP is open to this type of abuse. Exchange is more susceptible to this attack than other mail servers because there are predictable account names which can be brute forced and SMTP AUTH is enabled by default. It is simple to turn this off.
What is the big deal?
It looks like thinkcomputer has an ulterior motive "Microsoft telephone support is not available without the risk of paying a relatively high per incident fee. Therefore, we recommend contacting Think Computer via e-mail at info@thinkcomputer.com for more information about the issues discussed in this White Paper."
Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?
It wouldn't be mentioned in that RFC as I believe that was written before any form of user authentication was part of SMTP. AUTH SMTP is described in RFC 2554 - SMTP Service Extension for Authentication however it doesn't mention anything about a "guest" account specifically, just "accounts".
Modern SMTP mail systems are based on a number of RFC's - 2234, 1869, 1891, 2119, 2222, 2476, 2195, 821, 822
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."
Um, excuse me? Any idiot with more than 7 days experience administering a Windows server should know that the Guest account is BAD BAD BAD.
By definition "Guest" doesn't require successful authentication to access resources. The entire reason "Guest" exists is to provide un-authenticated access to resources.
I can read bugtraq as well as anyone else, so I'm aware of the past history Microsoft has with the security of its products. However, no sane person could reasonably attribute this "flaw" to Microsoft software. A more apt description is "Flaw in MS Exchange 5.5 and 2000 Administrators".
I mean really. It's like setting a Windows Domain Administrator account password to "Administrator" or "password" (another major cause of Exchange-based spam. Grep USENET and MS KB's for UI).
No software yet written or ever to be written in the future can make up for mistakes, oversights and sometimes just plain stupidity of humans.
Janie took my gun...
Many organizations are decentralized, without an IT Gestapo to dole out accounts and enforce the "One True Way".
In many cases, multiple organizations need to collaborate and share information in order to pursue common goals.
In other words, I may wish to share information and resources with other people, even members of the public, without requiring them to have an account on the system.
If I wanted perfect security, I would encase the computer in concrete and dump it in the ocean.
Mea navis aericumbens anguillis abundat
"If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled. "
What insurance policy would that be on sir?
I think you mean "you may want to ensure..."
..Exchange servers that had been infected by the
Code Red worm and subsequently cleaned will still have the
guest account enabled...
Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.
Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.
As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.
---- It won't be as bad as you fear or as good as you hope, but it will take twice as long as you plan.
The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more.
the article says:
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall,"
I hardly think an open Guest account is a security problem with Exchange server. It's more a competance problem with the server's administrator. A lot of systems have a Guest account - if it's enabled, Guest's will get in - that's what those accounts are for!
If by ancient history, you mean September 2003, yeah sure, Sendmail holes are ancient history.
Je ne parle pas francais.
That's what I do. Only thing the spammers see is a ASTARO Security Linux. Which for the 12 person remote office, was the best purchase we ever made. I don't really worry to much about Exchange vulns. Especially since the last patch killed the Exchange server, and I had to come up off backups. For a network admin with better things to do, Astaro Security Linux is great. When my larger network at a very renown hospital system was dealing with viruses and everything else, the remote office didn't see a single infection, even though they connect to the larger network. Thank you Astaro.
There are probably a dozen free mail servers that are smaller, simpler, faster, and more reliable. Servers that don't open you up to problem after problem caused by the insane complexity of the design.
The reason people keep coming up with is, you need Exchange to get the most out of Outlook.
Which has to be the silliest reason I can imagine, because if there's been a bigger security network security problem over the past half a decade than Outlook, I don't know what it is.
You might as well argue that without winter you really can't get the most out of homelessness. Without dirty needles, you can't get the most out of drug addiction. Without gang warfare, you can't get the most out of overcrowded inner cities.
HELLO, THIS IS THE CLUE FAIRY KNOCKING ON YOUR DOOR: don't use Outlook, don't use Exchange. Go ahead and use Windows if you must (and you pretty much have to, these days, I read it in the paper just the other day), but there's no reason you need to take bad smack just because it comes with the neighborhood. Almost all the mail servers and clients you might want to use have already been ported to Windows, no matter what OS they were originally written for.
This shouldn't be hard for people to wrap their heads around, but... somehow... people keep going back to the Microsoft connection and shooting up with dirty email software...
By attempting to take over every single area of the software industry, they have bitten off way more than they can chew.
Not to mention that every software intallation or update creates a new system for all practical purposes, because every thing is so tightly integrated, and interdependent it's no wonder that simple changes have system-wide unintended side effects.
Apocalypse Cancelled, Sorry, No Ticket Refunds