Microsoft Security Bulletin MS00-088 - Critical
Patch Available for 'Exchange User Account' Vulnerability
Published: November 16, 2000
Originally posted: November 16, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Exchange 2000 Server and Exchange 2000 Enterprise Server. This vulnerability could potentially allow an unauthorized user to remotely login to an Exchange 2000 server and possibly other servers on the affected computer's network.
- Microsoft Exchange 2000 Server CDs without "Rev. A" stamped on the CD on the line below the Part No.
Microsoft Exchange 2000 Enterprise Server CDs without "Rev. A" stamped on the CD below the Part No.
Note: This also applies to evaluation editions and to Microsoft Exchange 2000 Server and Microsoft Exchange 2000 Enterprise Server included on the October 2000 Select CDs.
Vulnerability Identifier: CVE-2000-1139
In early shipments of Exchange 2000, setup creates an account with a known username and password. If a malicious user learned the username and password, he or she could log onto the account. Under normal circumstances, this account only has local user rights - it is not a privileged account and cannot access Exchange 2000 data. However, if Exchange 2000 were installed on a Domain Controller, the account would also have Domain user privileges, and could thus gain access to other resources in the affected Domain. Nevertheless, he would still be restricted from accessing Exchange 2000 data.
To eliminate the security vulnerability, Microsoft has provided a manual procedure, discussed in the FAQ, and a tool to protect our customers. Microsoft also recommends that customers affected by this vulnerability disable or delete this account after setup completes. In addition, Exchange 2000 SP1 will contain a fix that removes this vulnerability.
Frequently asked questions
What's this bulletin about?
Microsoft Security Bulletin MS00-088 announces the availability of manual procedure and tool that eliminates a potential vulnerability in Microsoft® Exchange 2000 Server and Exchange 2000 Enterprise Server. The vulnerability could be used to gain access to a network that contains an Exchange 2000 server. Microsoft is committed to protecting customers' information, and is providing this bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could enable a malicious user to log onto an Exchange 2000 Server via a user account created during setup. The specific capabilities the malicious user would gain access to would depend on the type of Windows 2000 Server on which Exchange is installed. If Exchange has been installed on a member server, the malicious user would only gain user privileges on that machine. He or she could take a variety of actions, including loading and running code of their choice on the specific server that has been compromised. If Exchange has been installed on a domain controller, the malicious user would gain domain user privileges. This would enable them to access other network resources and potentially cause further damage. Best practices strongly recommend against installing Exchange - or any other applications - on a domain controller. Customers who have followed this recommendation would be at significantly less risk from this vulnerability. Regardless of whether Exchange is installed on a member server or domain controller, the user account at issue is an unprivileged one, and does not have access to Exchange 2000 data or the ability to perform administrative actions. Nevertheless, even these user privileges on a server can enable a malicious user to cause significant damage, and could provide a beachhead from which to launch additional attacks.
What causes the vulnerability?
The vulnerability results because a user account is created during setup of Exchange 2000 with a known username and password.
What account is created, and what purpose does it serve?
The user account EUSR_EXSTOREEVENT was created to facilitate the processing of workflow and other event scripts. Exchange 2000 supports running these scripts under the Windows system account, and as a result, this account is no longer required.
If the account isn't required, why was it created?
This type of user account was used in previous versions of Exchange. The account did not pose a security risk in those versions because it did not use a known username or password. This account was included in Exchange 2000 during the beta program while the current method of handling workflow and event scripts was developed. It was intended to be removed from the final shipping product; however, due to a production error, it was not actually removed from some early shipments.
Does this vulnerability affect Exchange 5.5?
No. This account only exists under Exchange 2000.
Is the EUSR_EXSTOREEVENT account highly privileged?
No. It has privileges that match those of a normal user. It does not have administrative privileges of any kind, nor any access to Exchange data.
Is EUSR_EXSTOREEVENT a local or domain account?
It's a local account. This means that in the vast majority of cases, it has no privileges whatsoever on the domain. However, there is one exception to this. If Exchange is installed on a domain controller, the account would be a domain account - because, by definition, all local accounts on domain controllers are in fact domain accounts.
How could a malicious user gain access to the account?
If the malicious user learned the username and password, she could simply login remotely to an Exchange Server.
Why can't I just disable the account?
You can. In fact, as discussed below, that's one simple way to eliminate the vulnerability.
Suppose Exchange were installed on a member server. What could the malicious user do if he exploited this vulnerability?
It's easier to start with what the malicious user could not do. The EUSR_EXSTOREEVENT account does not have administrative privileges, so the malicious user could not run tools or access files that are restricted to administrators. For instance, he or she could not change the security configuration of the machine, create new users on the machine or read Exchange 2000 data. However, he or she could access any file that granted read, write or execute permissions to normal users, and could execute many operating system commands. Most importantly, he or she could load additional software onto the machine and run it, in an effort to gain additional privileges via other vulnerabilities.
Suppose Exchange were installed on a domain controller. What could the malicious user do if he exploited this vulnerability?
The malicious user's privileges would remain basically the same, except that he or she would now be a domain user rather than a local user. This means that he or she could access any resources, within a domain, that gave rights to members of the Domain Users group.
How common is it for Exchange to be deployed on a domain controller?
Microsoft recommends that a Domain Controller only be used to validate login requests. Other applications or services should be installed on member servers, however, we do understand that certain customers, particularly small to medium sized businesses, may run Exchange 2000 on a domain controller. As a result, we are providing the procedures and tool to cover all deployment scenarios.
Will a fix be included in Service Pack 1 for Exchange 2000?
Yes. A fix will be included in SP1 for Exchange 2000 and customers who deploy Exchange 2000 with SP1 will not need to use the procedure or tool in this bulletin.
How do I identify if my copy of Exchange 2000 is affected?
Use this table to determine whether you have an affected version:
|Existing Installations||Check for the existence of the EUSR_EXSTOREEVENT account. If it exists, take the appropriate action documented in this bulletin and KB article.|
|New Installations||The following Exchange 2000 installation media are affected by this vulnerability:
I know I'm affected what does the tool do?
The tool will search for the existence of the EUSR_EXSTOREEVENT account and delete it. The tool MUST be run on all Exchange 2000 machines from a Windows 2000 Administrator account.
What is the manual procedure?
Customers with Exchange 2000 currently installed:
- Delete the EUSR_EXSTOREEVENT account (OR) if in use
- Change the password
Customers who have not deployed Exchange 2000:
- Prior to installation manually create and disable EUSR_EXSTOREEVENT (AND)
- Delete the account after setup is completed
Where can I get the tool?
The download location for the tool is provided in the "Patch Availability" section of the security bulletin.
How do I use the tool?
Knowledge Base article Q278523 contains detailed instructions for applying the workaround or running the tool.
How can I tell if I ran the tool or followed the procedure correctly?
Knowledge Base article Q278523 provides details about the manual procedure and how to run the tool.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued Knowledge Base article Q278523 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Servicescan provide assistance with this or any other product support issue.
Download locations for this patch
The Tool can be downloaded from:
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
Microsoft Knowledge Base (KB) article Q278523,
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- November 16, 2000: Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00