CVE-2001-0660

Vulnerability

The vulnerability resides in the Outlook Web Access (OWA) implementation of Microsoft Exchange 5.5 Service Pack 4 and earlier versions [1]. OWA's global address list (GAL) search uses a two-tier architecture: a front-end that checks authentication and a back-end that performs the search. However, only the front-end validates credentials, leaving the back-end function accessible without authentication. An attacker can send a properly formatted request directly to the back-end function, bypassing authentication checks entirely [1].

Exploitation

An attacker needs no authentication and only requires network access to the OWA endpoint. By crafting a request targeting the back-end GAL search function, the attacker can enumerate the global address list without any user interaction or additional privileges [1].

Impact

Successful exploitation allows the attacker to retrieve valid email aliases of users from the Exchange server's global address list. The attacker gains no other capabilities, such as reading, modifying, or sending email, nor any server administration access. The disclosure is limited to email aliases, but can aid in targeted attacks or social engineering [1].

Mitigation

Microsoft released security bulletin MS01-047 and a patch that corrects the authentication gap in OWA for Exchange 5.5 SP4 and earlier [1]. Administrators should apply the patch. As a workaround, if OWA is not required, disabling it eliminates the attack vector. Exchange 2000 is not affected by this vulnerability [1].