Reported July 06, 2001, by Microsoft.
Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Datacenter Server
A vulnerability exists in the default SMTP server that is installed with these four versions of Win2K. An attacker can use a vulnerability in the SMTP authentication process to successfully authenticate to the SMTP service using incorrect credentials. A potential attacker exploiting this vulnerability can gain user-level privileges on the SMTP service and use the service to perform SMTP mail relaying. This vulnerability affects only standalone machines, not DCs or Microsoft Exchange mail servers running Win2K.
The vendor, Microsoft, has released security bulletin MS01-037 for this vulnerability, and recommends that Win2K users immediately apply the patch mentioned in the bulletin. Patches for Win2K Datacenter are hardware specific, and are available only through the original equipment manufacturer. As usual, if a service is not needed, a user should disable the service.
Discovered by Joao Gouveia.