History
2017 - Researchers Andy Robbins and Will Schroeder highlighted issues with Exchange permissions in a document "Designing Active Directory DACL Backdoors".
2018.04.26 - Rindert Kramer and Dirk-jan Mollema at published an article "Escalating privileges with ACLs in Active Directory".
2018.11.13 - Microsoft published "CVE-2018-8581 | Microsoft Exchange Server Elevation of Privilege Vulnerability".2018.04.26 - Rindert Kramer and Dirk-jan Mollema at published an article "Escalating privileges with ACLs in Active Directory".
2018.12.19.12 - The ZDI published article "AN INSINCERE FORM OF FLATTERY: IMPERSONATING USERS ON MICROSOFT EXCHANGE" with exploit for CVE-2018-8581.
2019.01.21 - Hacker Dirk-jan Mollema published the PoC "Abusing Exchange: One API call away from Domain Admin".
2019.01.28 - CERT Coordination Center published vulnerability note VU#465632 "Microsoft Exchange server 2013 and newer are vulnerable to NTLM relay attacks".
2019.02.05 - Microsoft published "ADV190007 | Guidance for "PrivExchange" Elevation of Privilege Vulnerability"
2019.02.12 - Microsoft published articles "CVE-2019-0686 | Microsoft Exchange Server Elevation of Privilege Vulnerability" and "CVE-2019-0724 | Microsoft Exchange Server Elevation of Privilege Vulnerability"
2019.02.12 - Microsoft published "February 2019 Quarterly Exchange Updates" with patches for all related vulnerabilities.
Vulnerabilities and workarounds
| CVE | Description | CVSS Score | Workarounds | Solution |
| CVE-2018-8581 | An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. | 7.4 HIGH | Researches: ● Enable Extended Protection for Authentication on Front-End Exchange sites. Both researchers and Microsoft: ● Remove the registry "DisableLoopbackCheck". | ● Disable NTLM. ● February 2019 Quarterly Exchange Updates (2019 CU1, 2016 CU12, 2013 CU22). |
| CVE-2019-0686 | An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users. | 7.4 HIGH | Both researchers and Microsoft: ● Disable EWS push/pull subscriptions | ● February 2019 Quarterly Exchange Updates (2019 CU1, 2016 CU12, 2013 CU22). |
| CVE-2019-0724 | An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as a Domain Administrator. More details there and there. | 8.1 HIGH | Researchers: ● Script "Fix-DomainObjectDACL.ps1". Description. Microsoft: ● ADV190007 | Guidance for "PrivExchange" Elevation of Privilege Vulnerability | ● Split Permissions Model. ● Isolate Exchange in its own resource forest. ● February 2019 Quarterly Exchange Updates (2019 CU1, 2016 CU12, 2013 CU22). |
Test
I tested the PoC from ZDI - it works. Simple user with a mailbox in Exchange may add a rule to forward all emails to itself (and much more) into any mailbox.
Warning
If you are still running on Exchange 2019 RTM, Exchange 2016 CU11 or Exchange 2013 CU21 or earlier versions be careful with workaround "Disable EWS push/pull subscriptions" like that:New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0 Restart-WebAppPool -Name MSExchangeServicesAppPoolDisable EWS subscriptions can disrupt the line-of-business (LOB) application: Skype for Business, BlackBerry EMS (BlackBerry UEM, BlackBerry Work), VMware AirWatch, Citrix Secure Mail and etc!
Solution
The complete solution to the vulnerabilities described above is February 2019 Quarterly Exchange Updates (Exchange Server 2019 CU1, 2016 CU12, 2013 CU22). It should not break EWS subscriptions (tested on the BlackBerry UEM + BEMS), but I recommend to test it in your test environment.
Microsoft has changed the notifications contract that is established between EWS clients and servers that are running Exchange Server not to allow authenticated notifications to be streamed by the server. Instead, these notifications are streamed by using anonymous authentication mechanisms. Because a client would have to authenticate to establish the subscription, this approach is considered to be an appropriate and necessary design to protect the credentials and identity of the server. After this change, clients that rely on an authenticated EWS Push Notification from the server that is running Exchange Server will require a client update to continue to function correctly.
No comments:
Post a Comment