Microsoft Exchange long integers issue.

Q

quovadis

Honorary Master
Joined
Sep 10, 2004
Messages
29,460
Reaction score
19,304
Location
South Africa.
Anyone running on-premise MS Exchange servers this morning may notice an issue with submission queues not emptying. The short of it is that for some reason the anti-malware transport agent likes to store dates as integers and well the date 20220101 doesn't play nicely with the data type set. The only way to recover it seems is to disable/bypass the anti-malware agent currently (which is definitely not a desired solution).

Event log entry:
The FIP-FS "Microsoft" Scan Engine failed to load. PID: 16024, Error Code: 0x80004005. Error Description: Can't convert "2201010004" to long.
Click to expand...

@Jan - Quite a story
 
What do you mean as Integer? Are they storing POSIX timestamps as integers?

Code: 
irb(main):006:0> 20210101.to_s(2).length
=> 25
irb(main):002:0> 20220101.to_s(2).length
=> 25
irb(main):003:0> Time.now.to_i
=> 1641070905
irb(main):004:0> 1641070905.to_s(2).length
=> 31
irb(main):005:0> (2**31)-1 > 1641070905
=> true

Given above, I don't get the overflow. Microsoft is a strange world.
 
More details available on the below BleepingComputer article.
https://www.bleepingcomputer.com/ne...ear-2022-bug-in-fip-fs-breaks-email-delivery/

Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647.

However, dates in 2022 have a minimum value of 2,201,010,001 or larger, which is greater than the maximum value that can be stored in the signed int32 variable, causing the scanning engine to fail and not release mail for delivery.
Click to expand...
Microsoft will need to release an Exchange Server update that uses a larger variable to hold the date to officially fix this bug.

However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again.

To disable the FIP-FS scanning engine, you can execute the following PowerShell commands on the Exchange Server:

Set-MalwareFilteringServer -Identity -BypassFiltering $true
Restart-Service MSExchangeTransport
After the MSExchangeTransport service is restarted, mail will start being delivered again.

Unfortunately, with this unofficial fix, delivered mail will no longer be scanned by Microsoft's scanning engine, leading to more malicious emails and spam getting through to users.

Microsoft has confirmed that they are working on a fix and hope to have more information available later today.
Click to expand...
 
Last edited:
Sinbad said:
What version of exchange?
Click to expand...
Seems to be across the board of (at least from what I can see) but can verify 2019 15.2.986.14/15.2.986.5/15.2.922.7 and 2016 15.1.2375.17& 15.1.2308.20.

Gnome said:
What do you mean as Integer? Are they storing POSIX timestamps as integers?
Click to expand...
They're storing the date format YYMMDDHHMM in what seems to be C++ long int or other int where you get overflow after 2,147,483,647.
 
quovadis said:
Seems to be across the board of (at least from what I can see) but can verify 2019 15.2.986.14/15.2.986.5/15.2.922.7 and 2016 15.1.2375.17& 15.1.2308.20.


They're storing the date format YYMMDDHHMM in what seems to be C++ long int or other int where you get overflow after 2,147,483,647.
Click to expand...
Now it makes more sense. HHMM does make quite a difference in terms of length :p

Code: 
irb(main):016:0> 2201010001.to_s(2).length
=> 32
irb(main):017:0> (2**31)-1 > 2201010001
=> false
irb(main):018:0> (2**32)-1 > 2201010001
=> true

Seems to be a signed integer overflow.
 
Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647.
Click to expand...

interesting, they scrapped the DateTime format?

or the developer's brain flooded with water?
 
quovadis said:
Hard to say but they've provided a decent fix that allows everything to go back to normal.
Click to expand...

it is a design failure, as the developer, this kind of lower level basic structure failure is absolutely unacceptable. :mad:

this idiot even doesn't understand what is "long" and "DateTime". and don't forget, he /she has been receiving high salary each month. :mad: :mad:
 
Related threads:

Microsoft Exchange emails stuck due to year-change bug

Microsoft Exchange emails stuck due to year-change bug Microsoft said a problem related to the changeover to the new year was causing some email messages to become stuck on its Exchange platforms. [Bloomberg]
mybroadband.co.za mybroadband.co.za

Microsoft fixes year-change Exchange bug that blocked emails

Microsoft fixes year-change Exchange bug that blocked emails Microsoft offered a solution to a bug that caused some email messages to become stuck on its Exchange platforms due to what it said was a new-year-related date checking failure. [Bloomberg]
mybroadband.co.za mybroadband.co.za
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X