Improper access control in Microsoft Exchange Server

#VU14371 Improper access control in Microsoft Exchange Server

Published: 2018-08-14 | Updated: 2018-08-14

Vulnerability identifier: #VU14371

Vulnerability risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-8374

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft Exchange Server
Server applications / Mail servers

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to change profile data of other Exchange users.

The vulnerability exists due to an error when processing data profiles. a remote authenticated attacker can change profile data of another Exchange user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft Exchange Server: 2016 Cumulative Update 9 15.01.1466.003 - 2016 Cumulative Update 10 15.01.1531.003

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8374

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Microsoft Exchange