This privilege escalation flaw would allow a remote attacker to impersonate an administrator
Microsoft has confirmed the existence of privilege
escalation vulnerability on the Exchange
server that is considered critical. According to network security and ethical
hacking specialists from the International Institute of Cyber Security, this
flaw could allow a hacker with a simple mailbox account to gain administrator
privileges.
Both Microsoft and US-CERT had alerted in recent
days about this error, known as ‘PrivExchange’, mentioning that it has a score
of 8.3/10 in the Common Vulnerability
Scoring System (CVSS) scale. According to experts, the vulnerability exists
due to multiple errors in the default configurations, the email server, and the
Exchange server calendar. The vulnerability affects versions 2013 and later
ones.
Microsoft has not yet released update patches
to fix that vulnerability; however, network
security specialists mention that there are other risk mitigation
methods.
A week ago a proof of concept was published
that describes how an Exchange user can use two Python-written tools to obtain
domain admin privileges. In response, Microsoft stated: “To exploit this
failure, the attacker would have to run a Man-in-the-Middle attack to forward
an authentication request to Exchange Server, which would allow for identity
spoofing”.
The PrivExchange vulnerability was first
described by the network security expert Dirk-Jan Mollema, who developed a proof
of concept to exploit some default Exchange configurations. According to
Mollema, attackers can configure the EWS parameters to authenticate to an
Exchange server and then authenticate the account using NTML (a set of security
protocols for Microsoft).
Another default configuration error is that
Exchange does not establish signatures in NTLM authentication traffic, so a
malicious user could perform an NTLM forwarding attack to other computers on
the administrator’s network.
Finally, servers have access to high privilege
processes by default, including the domain controller. With administrator
privileges, the attacker could gain access to the domain controller, which can
be useful for multiple hacking activities.
“Due to privileges granted by exploiting this
vulnerability, an attacker could control anything in the Active Directory, such
as system access, data reading and modification, and backdoor implementation to
ensure persistence of vulnerability”, Mollema mentioned.
The specialist added: “Performing this attack
is relatively easy, and some other implementations of the tools used in the
concept test that allow the attack to be carried out through an infected
workstation have already been launched”.
Microsoft has not published updates for this
vulnerability, although there are ways to mitigate attack risks. Potential affected
users would have OnPrem implementations because Exchange Online is not
affected; how NTLM systems would be, because the systems that have disabled
NTLM are not affected.
To address this vulnerability, users could
define and apply the “constraint policy” so that EWSMax subscriptions
have a value of zero. The EwsMaxSubscriptions parameter specifies the maximum
number of active subscriptions for “insertion and extraction” that a
user of Exchange Web services can have at the same time on a specific Exchange
server, thus limiting the number to zero and It would prevent the Exchange
server from sending notifications.
