A cybersecurity advisory was issued yesterday, Jan. 29, 2019, regarding a vulnerability in Microsoft Exchange. This vulnerability could allow for privilege escalation.
What It Is:
Microsoft Exchange is an email server available for Microsoft Windows. Successful exploitation of this vulnerability could allow for privilege escalation to the Domain Admin account. Access to the Domain Admin account could allow for an attacker to perform a series of malicious actions including the ability to implement backdoor accounts on the system.
A Proof-of-Concept has been developed by the researchers who discovered this vulnerability to demonstrate this issue. See link above.
What It Means:
If your business or organization uses Microsoft Exchange 2013 and newer, you will need to consider implementing the mitigations in the link above immediately to avoid a potential breach.
Systems Affected Include:
• Microsoft Exchange 2013 and newer
• Large and medium government entities: High
• Small government entities: Medium
• Large and medium business entities: High
• Small business entities: Medium
Home users: Low
A vulnerability has been discovered in Microsoft Exchange, which could allow for privilege escalation. In the context of any compromised email account on the network, an attacker may be able to gain access to the Domain Admin account due to default configuration settings on Microsoft Exchange Servers. It is also possible to perform this attack without any credentials. An attacker may achieve this due to the following:
1. Exchange Servers by default are configured with many high privilege operations, this includes write access to the Domain Object in Active Directory. Access to Domain Object enables the user to modify domain privileges.
2. Exchange Servers are vulnerable to NTLM relay attacks because the Exchange server fails to set the Sign and Seal flags on NTLM operations. This can allow attackers to obtain the server’s NTML hash.
3. A feature in Exchange Web Services (EWS) can allow attackers to trick the Exchange Server authenticate on an attacker-controlled URL over HTTP using the server’s computer account.
4. If the attacker does not have credentials, it is possible to still trigger Exchange to authenticate to an attacker-controlled URL by performing an SMB to HTTP relay attack.
Successful exploitation of this vulnerability could allow for privilege escalation to the Domain Admin account. Access to the Domain Admin account could allow for an attacker to perform a series of malicious actions including the ability implement backdoor accounts on the system.
What To Do:
We recommend the following actions be taken:
• Consider implementing mitigation recommendations for this vulnerability found at the reference link above.
• Apply appropriate patch provided by Microsoft, once available, after appropriate testing.
• Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
• Apply the Principle of Least Privilege to all systems and services.
Negative Consequences of Lost or Stolen Data:
The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
• Temporary or permanent loss of sensitive or proprietary information.
• Disruption to regular operations.
• Financial losses incurred to restore systems and files.
• Potential harm to an organization’s reputation.
Should your agency or business need assistance with the detection of vulnerabilities in Microsoft Exchange or updates to include critical patches, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.
Thank you for your time and stay safe online.