Main Vulnerability Database Vulnerabilities #VU8291

#VU8291 Information disclosure in Microsoft Exchange Server - CVE-2017-11761

Published: September 12, 2017 / Updated: September 12, 2017

Vulnerability identifier: #VU8291

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-11761

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Microsoft Exchange Server

Software vendor:
Microsoft

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper input sanitization issue in Microsoft Exchange. A remote attacker can send Calendar-related messages containing specially crafted tags to an Exchange server, trick the victim into observing telemetry from these requests and discerning properties of internal hosts intended to be hidden from the Internet, and identify the existence of RFC1918 addresses on the local network from a client on the Internet.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11761