Slashdot Mirror
Mail Server Flaw Opens MS Exchange to Spam
bl8n8r writes: "
Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.
There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.
Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.
Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.
Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," ......... The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled.
Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.
Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.
Was code red really just a tool for spammers?
----
Squirrel
What sort of IT group decides to run their Exchange environment unprotected on the internet?
I'm working for a company that's deeply in MS's back pocket -- we use Windows *everything*, including Exchange. Our SMTP gateway? Postfix on Linux. Sure, I'd rather it was OpenBSD, but whatever -- it's still not Exchange.
The bloatier the app, the harder it is to ensure it's secure. These are probably the same sort of people who run SQL Server on an unfirewalled system and are then shocked someone managed to hack into it.
Turn off Guest!
To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.
Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "
Maybe you're confusing qmail with a poorly configured, non-DJB-endorsed SMTP AUTH layer?
If thats not the case, well, what you're saying makes no sense.
this issue was never really resolved for exchange 5.5.. but it is simply resolved in 2000 which is detailed here
If you are running Exchange 5.5 you shouldn't be wasting time locking it down... Your hours would be better spent opening ports on your firewall or something, because 5.5 is so old and underupdated that it more efficient to work on a new mail server with new software.
- what is the definition of simultanagnosia?! I've been meaning to look it up!
Here I thought /. was the source for fair and balanced coverage.
Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.
Turns out its actually a problem in SMTP's RFC
Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?
Tubal-Cain smokes the white owl.
I am 100% linux at work, but have the same problem as you, incompatible exchange server for evolution...
So, I have been using outlook with codeweaver's crossover office (http://codeweavers.com/site/products/cxoffice/), which you are no doubt aware of, but if you haven't tried it, it is awesome. While not perfect, it certainly beats the other options of getting exchange mail on a linux desktop (term serv/rdesktop, outlook web access, dual booting, etc), and the small amount of money (~$60) is well worth it, as much work goes right back into WINE.
Legal Disclaimer: I have no affiliation with codeweaver's other than being a very satisfied customer.
JWall: GUI client for IPTables
...and I run multiple Exchange boxen in multiple locations. ...of course I wouldn't do anything so clueless as leave the relays open or leave the default guest account active.
As far as open relays go, it actually pains me to have to close them off. I'd rather leave them open and help people out when their ISPs are dicking them around. Unfortunately a few assholes are ruining it for everyone else.
You're using her as bait, Master!
This is either the second, third or forth time in the past 24 months that Microsoft has said the security is a top priority.
But, then again, this is the same company that testified under oath that reveling the Windows source code would harm the National Security of the US. Then they licensed the source code to China.
This is silly, exchange 5.5 and exchange 2000 don't ship with "allow users to relay if they authenticate regardless of if they are in this list" checked by default. Systems Administrators need to enable that feature specifically.
Also, The guest account is disabled by default.
Saying exchange servers may be relaying because of this 'bug' is like saying linux is insecure because you can set a blank root password and enable sshd to accept connections as root.
The problem has nothing to do with Exchange, or SMTP itself. It has to do with SMTP AUTH -- an extension that allows clients to authenticate themselves. This allows a roaming client (connecting from anywhere) to authenticate via username and password, and they are then given relaying rights as if they were directly on the ISPs network.
The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more. Once the spammer is 'authenticated' they are free to relay. They could have also guessed any real user's password, the effect would be the same.
I'm all for kicking a company when they deserve it but yet again I feel this Microsoft bashing episode is another beefed up piece of CNET pseduo FUD disguised as news. I'm sick of the way they trump up the Windows vs. *Nix wars - it brings in readers (baaaaa).
I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).
We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.
My 2 cents...
you are right, but: /etc/passwd - a dictionary attack is much harder if you have to guess both the passowrd and the username.
1. you have to login to the machine to read
2. the standard root-kits just assume it's called root.
As of Postgres v6.2, time travel is no longer supported.
This is an SMTP AUTH problem and any mail server which permits relaying using SMTP AUTH and doesn't filter by source IP is open to this type of abuse. Exchange is more susceptible to this attack than other mail servers because there are predictable account names which can be brute forced and SMTP AUTH is enabled by default. It is simple to turn this off.
What is the big deal?
It looks like thinkcomputer has an ulterior motive "Microsoft telephone support is not available without the risk of paying a relatively high per incident fee. Therefore, we recommend contacting Think Computer via e-mail at info@thinkcomputer.com for more information about the issues discussed in this White Paper."
Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?
It wouldn't be mentioned in that RFC as I believe that was written before any form of user authentication was part of SMTP. AUTH SMTP is described in RFC 2554 - SMTP Service Extension for Authentication however it doesn't mention anything about a "guest" account specifically, just "accounts".
Modern SMTP mail systems are based on a number of RFC's - 2234, 1869, 1891, 2119, 2222, 2476, 2195, 821, 822
Many organizations are decentralized, without an IT Gestapo to dole out accounts and enforce the "One True Way".
In many cases, multiple organizations need to collaborate and share information in order to pursue common goals.
In other words, I may wish to share information and resources with other people, even members of the public, without requiring them to have an account on the system.
If I wanted perfect security, I would encase the computer in concrete and dump it in the ocean.
Mea navis aericumbens anguillis abundat
..Exchange servers that had been infected by the
Code Red worm and subsequently cleaned will still have the
guest account enabled...
Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.
Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.
As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.
---- It won't be as bad as you fear or as good as you hope, but it will take twice as long as you plan.