Privilege escalation in Microsoft Exchange OWA
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-0686 CVE-2019-0724 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
Microsoft Exchange Server Server applications / Mail servers |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU17228
Risk: Medium
CVSSv3.1: 7.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-0686
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain escalated privileges.
The vulnerability exists due to improper access restrictions when processing requests to the "/privexchange" API endpoint. A remote authenticated user with limited privileges and mailbox access can gain DCSync privileges and obtain hashed passwords of all Active Directory users.
Mitigation
Vulnerable software versions
Microsoft Exchange Server: 2010 Service Pack 3 - 2019 RTM 15.02.0221.012
External linkshttp://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
http://github.com/dirkjanm/privexchange/
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper access control
EUVDB-ID: #VU17588
Risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2019-0724
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to gain escalated privileges.
The vulnerability exists due to improper access restrictions within Exchange Web Services (EWS). A remote authenticated user with limited privileges and mailbox access can perform man-in-the-moddle (MitM) attack to forward an authentication request to a Microsoft Active Directory domain controller and gain elevated privileges on the domain controller.
Mitigation
Install updated from vendor's website.
Vulnerable software versions
Microsoft Exchange Server: 2010 Service Pack 3 - 2019 RTM 15.02.0221.012
External linkshttp://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
http://github.com/dirkjanm/privexchange/
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0724
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
