#VU17588 Improper access control in Microsoft Exchange Server
Vulnerability identifier: #VU17588
Vulnerability risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Microsoft Exchange Server
Server applications /
Mail servers
Vendor: Microsoft
Description
The vulnerability allows a remote authenticated user to gain escalated privileges.
The vulnerability exists due to improper access restrictions within Exchange Web Services (EWS). A remote authenticated user with limited privileges and mailbox access can perform man-in-the-moddle (MitM) attack to forward an authentication request to a Microsoft Active Directory domain controller and gain elevated privileges on the domain controller.
Mitigation
Install updated from vendor's website.
Vulnerable software versions
Microsoft Exchange Server: 2016 RTM 15.01.0225.042 - 2016 Cumulative Update 11 15.01.1591.010, 2013 Cumulative Update 2 15.00.0712.024 - 2013 Cumulative Update 21 15.00.1395.004, 2019 RTM 15.02.0221.012, 2010 Service Pack 3 Update Rollup 20
External links
http://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
http://github.com/dirkjanm/privexchange/
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0724
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
