Vulnerability identifier: #VU17228

Vulnerability risk: Medium

CVSSv3.1: 7.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-0686

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft Exchange Server
Server applications / Mail servers

Vendor: Microsoft

Description

The vulnerability allows a remote authenticated user to gain escalated privileges.

The vulnerability exists due to improper access restrictions when processing requests to the "/privexchange" API endpoint. A remote authenticated user with limited privileges and mailbox access can gain DCSync privileges and obtain hashed passwords of all Active Directory users.

Successful exploitation of the vulnerability may allow an attacker to gain full access to the Active Directory infrastructure.

Mitigation

Vulnerable software versions

Microsoft Exchange Server: 2016 RTM 15.01.0225.042 - 2016 Cumulative Update 11 15.01.1591.010, 2013 Cumulative Update 2 15.00.0712.024 - 2013 Cumulative Update 21 15.00.1395.004, 2019 RTM 15.02.0221.012, 2010 Service Pack 3 Update Rollup 20

---

External links
http://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
http://github.com/dirkjanm/privexchange/
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.