{"vuid":"VU#978131","idnumber":"978131","name":"Microsoft Exchange 2000 system attendant sets incorrect remote registry permissions","keywords":["Microsoft Exchange 2000","system attendant","remote registry permissions","Microsoft Management Console","MMC","SMB","139/tcp","445/tcp","MS02-003"],"overview":"The Microsoft Exchange System Attendant sets the permissions on a registry key incorrectly, allowing remote intruders access to the registry.","clean_desc":"The Microsoft Exchange System Attendant changes the permissions of the key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\winreg to allow access to the members of the Everyone group. This change is made so that system administrators can manage the Exchange server through the Exchange System Manager Microsoft Management Console (MMC). The ACL on the key mentioned above is used to determine which users are able to use the standard remote registry management features. This permission also allows users to access the registry remotely. The change does not allow the intruder to bypass existing ACLs in the registry, so an intruder will still need to authenticate to the registry. If other registry keys have permissions that allow unauthenticated users to query values or make changes, the intruder will now be able to make those changes.","impact":"A remote intruder may be able to query or set registry key values remotely. The ACLs on the registry keys are still enforced correctly, but the ability for users to access the registry remotely may be undesired. If registry keys have weak permissions, data may be accidentally read or written.","resolution":"Apply a Patch Microsoft has produced patches to correct this problem. They patches are described in their advisory, which is available from: http://www.microsoft.com/technet/security/bulletin/ms02-003.asp","workarounds":"Block Access to the Registry by Restricting SMB Network Access Because the standard remote registry management features requires an SMB network connection, system administrators may wish to consider blocking ports 139/tcp and 445/tcp at their network perimeter.","sysaffected":"","thanks":"The CERT/CC was made aware of this vulnerability by Microsoft Security Bulletin MS02-003.","author":"This document was written by Cory F. Cohen.","public":["http://www.securityfocus.com/bid/4053","http://www.microsoft.com/technet/security/bulletin/ms02-003.asp"],"cveids":["CVE-2002-0049"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-02-07T21:31:04Z","publicdate":"2002-02-07T00:00:00Z","datefirstpublished":"2002-09-27T17:38:10Z","dateupdated":"2003-03-26T20:47:16Z","revision":10,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"17","cam_exploitation":"0","cam_internetinfrastructure":"2","cam_population":"15","cam_impact":"4","cam_easeofexploitation":"18","cam_attackeraccessrequired":"12","cam_scorecurrent":"4.617","cam_scorecurrentwidelyknown":"5.346","cam_scorecurrentwidelyknownexploited":"10.206","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":4.617,"vulnote":null}