Vulnerability identifier: #VU17228
Vulnerability risk: Medium
CVSSv3.1: 7.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Microsoft Exchange Server
Server applications /
Mail servers
Vendor: Microsoft
Description
The vulnerability allows a remote authenticated user to gain escalated privileges.
The vulnerability exists due to improper access restrictions when processing requests to the "/privexchange" API endpoint. A remote authenticated user with limited privileges and mailbox access can gain DCSync privileges and obtain hashed passwords of all Active Directory users.
Mitigation
Vulnerable software versions
Microsoft Exchange Server: 2016 RTM 15.01.0225.042 - 2016 Cumulative Update 11 15.01.1591.010, 2013 Cumulative Update 2 15.00.0712.024 - 2013 Cumulative Update 21 15.00.1395.004, 2019 RTM 15.02.0221.012, 2010 Service Pack 3 Update Rollup 20
External links
http://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
http://github.com/dirkjanm/privexchange/
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.