SB2019012701 - Privilege escalation in Microsoft Exchange OWA

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2019-0686)

The vulnerability allows a remote authenticated user to gain escalated privileges.

The vulnerability exists due to improper access restrictions when processing requests to the "/privexchange" API endpoint. A remote authenticated user with limited privileges and mailbox access can gain DCSync privileges and obtain hashed passwords of all Active Directory users.

Successful exploitation of the vulnerability may allow an attacker to gain full access to the Active Directory infrastructure.

2) Improper access control (CVE-ID: CVE-2019-0724)

The vulnerability allows a remote authenticated user to gain escalated privileges.

The vulnerability exists due to improper access restrictions within Exchange Web Services (EWS). A remote authenticated user with limited privileges and mailbox access can perform man-in-the-moddle (MitM)  attack to forward an authentication request to a Microsoft Active Directory domain controller and gain elevated privileges on the domain controller.

Successful exploitation of the vulnerability may allow an attacker to gain full access to the Active Directory infrastructure.

Remediation

Install update from vendor's website.

References

• https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
• https://github.com/dirkjanm/privexchange/
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0724