Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Exchange 2010|Exchange 2013|Exchange 2016|Exchange 2019|Exchange Server

All Versions of On-Premises Exchange Server Vulnerable to New Attack

Exploiting Active Directory

Dutch security researcher Dirk-Jan Mollema caused a stir when he reported an Exchange Server vulnerability that exploits the privileges Exchange has over Active Directory. The fact that Exchange can write into and change Active Directory permissions is not new as the situation has existed since Exchange 2000 adopted Active Directory in 1999.

What is new is the combination of the server’s access to Active Directory, NTLM authentication, and a weakness within the push subscription model used by Exchange Web Services. Essentially, the weakness allowed an attacker to impersonate another user and grant themselves elevated privileges. Once the attacker has privileges over Active Directory, they can impersonate any account known to the directory.

No Comment from Microsoft (yet)

The issue was reported on earlier today by the Register. Although Microsoft spokespeople are unwilling to comment in detail, the issue is recognized by the Microsoft Security Response Center (MSRC), who say that no workarounds are available for the vulnerability. Some workarounds are suggested in the original post, but I would be slow to make any changes before hearing from Microsoft.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

The problem exists on all current on-premises versions of Exchange. Exchange Online is unaffected, but only because an attacker would have to penetrate the many layers of security wrapped around Exchange servers running in Office 365 datacenters.

Background communications reveal that the Exchange product group is actively working on a resolution “as quickly as possible.” While it’s impossible to say when a fix will be available, it’s reasonable to assume that the issue has caught the attention of the folks in Redmond and we should see movement soon. The best advice I can give is to keep an eye for a patch from Microsoft in the near future.



Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (2)

2 responses to “All Versions of On-Premises Exchange Server Vulnerable to New Attack”

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.