|
Microsoft Exchange 2003 May Provide Access to Wrong Mailbox
|
|
Secunia Advisory:
|
SA10615
|
|
|
Release Date:
|
2004-01-13
|
|
Last Update:
|
2004-01-22
|
|
Popularity:
|
10,634 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Exposure of sensitive information
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Microsoft Exchange Server 2003
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2003-0904
|
|
Description:
Microsoft has reported a weakness in Exchange Server 2003, which is caused due to a bug in the handling of NTLM authentication in Outlook Web Access.
Systems configured to use NTLM instead of Kerberos (which is the default authentication scheme) may provide users access to mailboxes belonging to other users, which have recently accessed their mailbox.
Microsoft Sharepoint Services may cause the configuration to be changed so that NTLM authentication is used instead of Kerberos.
It is not possible for a malicious user to control which mailbox to access.
Solution:
Microsoft has issued patches:
http://www.microsoft.com/downloads/de...-A837-FBCFC0567676&displaylang=en
Changelog:
2004-01-22: Added link to CERT.
Original Advisory:
Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)
http://www.microsoft.com/technet/tree...echnet/security/bulletin/MS04-002.asp
Other References:
CERT VU#530660:
http://www.kb.cert.org/vuls/id/530660
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
