HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-38
Microsoft Exchange Server Calendar Vulnerability

Original Issue Date: May 10, 2006

Severity Rating: High

Systems Affected

  • Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004
  • Microsoft Exchange Server 2003 Service Pack 1 and Service Pack 2

Overview

A vulnerability has been reported in Microsoft Exchange Server due to improper handling of vCal and iCal properties of email messages. An attacker could exploit this vulnerability and execute arbitrary code on vulnerable Exchange Server.

Description

Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO) are interfaces that allow for certain types of information to be processed in the Exchange store.

Virtual Calendar (vCAL) and Internet Calendar (iCAL) are MIME content types used by Microsoft Exchange Server and email clients while exchanging information related to calendars and scheduling.

This vulnerability is caused due to an error within the EXCDO and CDOEX functionality while processing iCal and vCal properties in email messages. An attacker could exploit this vulnerability by sending a maliciously crafted email message with certain vCal or iCal properties to a vulnerable Exchange server.

Workaround

  • Authenticate connections to a server that is running Microsoft Exchange Server for all client and message transport protocols. Users may note that this will deny anonymous communication from clients through IMAP, POP3, HTTP, LDAP, SMTP, and NNTP.
  • Block iCal/vCal on Microsoft Exchange Server to protect against attempts to exploit this vulnerability through SMTP e-mail.

For further details regarding impact of these workarounds refer to Microsoft Security Bulletin MS06-019 .

Solution:

Apply appropriate patches as mentioned in the Microsoft Security Bulletin MS06-019

Vendor information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx

References

Secunia
http://secunia.com/advisories/20029/

US-CERT
http://www.kb.cert.org/vuls/id/303452

CVE Name

 CVE-2006-0027

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003