CVE-1999-0682

Vulnerability

A remote attacker can bypass the anti-relaying protections in Microsoft Exchange Server 5.5 by using encapsulated SMTP addresses. Exchange Server 5.5, when configured as a gateway for other Exchange sites via the Internet Messaging Service, treats encapsulated SMTP addresses differently from standard SMTP addresses, allowing these addresses to circumvent the anti-relay restrictions. The vulnerability is present in all versions of Microsoft Exchange Server 5.5 prior to the patch referenced in [1].

Exploitation

An attacker with network access to an affected Exchange Server can send an email containing encapsulated SMTP addresses to the server. The server processes the encapsulated addresses and relays the email to the intended recipient, even if the anti-relaying features are enabled. No authentication is required; the attacker only needs to be able to connect to the server's SMTP port.

Impact

A successful exploitation allows the attacker to use the Exchange Server as an open mail relay, sending spam or malicious emails through the server. The server appears as the sender, which can lead to reputational damage, blacklisting, and potential disclosure of internal mail routing information. The confidentiality, integrity, and availability of the server are not directly compromised, but the server can be abused for mail relaying attacks.

Mitigation

Microsoft released a patch for Exchange Server 5.5 to address this vulnerability, as detailed in [1]. The patch makes encapsulated SMTP addresses subject to the same anti-relay protections as non-encapsulated SMTP addresses. Administrators should apply the patch from the August 1999 security bulletin or later updates. No workaround is mentioned in the reference. The vulnerability is not known to be listed on CISA's Known Exploited Vulnerabilities catalog.