The international coordination center for vulnerability disclosures has alerted about this critical error
The CERT
Coordination Center (CERT/CC) has launched a vulnerability warning for Microsoft
Exchange 2013 and later versions. According to network security and
ethical hacking specialists from the International Institute of Cyber Security,
the problem with Microsoft’s online service is a vulnerability to NTLM relay
attacks.
The problem, which has not yet been patched and
does not seem to have a practical solution, exists due to a flaw in the
Microsoft Exchange software to set signature and stamp marks on NTLM
authentication traffic. In line with network
security specialists, remote attackers gain Exchange server privileges.
This error is especially risky for Microsoft Exchange, as it provides broad default
privileges.
“Exchange Server privileges obtained through
this vulnerability can be used to obtain Domain Admin privileges for the domain
containing the compromised Exchange server,” mentions the CERT/CC security
alert.
Consequently, an attacker in possession of the
credentials of an Exchange mailbox is also able to communicate with an Exchange
Server and a Windows domain controller for domain Admin privileges. In
addition, network security experts mention that completing this attack is
possible even if the hacker does not have Exchange mailbox passwords.
The CERT/CC recommends two possible risk
mitigations. The first is to disable EWS push/pull subscriptions; In addition,
the user could delete the privileges that Exchange has in the domain object.
