Exchange 2010|Exchange 2013|Exchange 2016|Exchange 2019|Exchange Server

All Versions of On-Premises Exchange Server Vulnerable to New Attack

Exploiting Active Directory

Dutch security researcher Dirk-Jan Mollema caused a stir when he reported an Exchange Server vulnerability that exploits the privileges Exchange has over Active Directory. The fact that Exchange can write into and change Active Directory permissions is not new as the situation has existed since Exchange 2000 adopted Active Directory in 1999.

What is new is the combination of the server’s access to Active Directory, NTLM authentication, and a weakness within the push subscription model used by Exchange Web Services. Essentially, the weakness allowed an attacker to impersonate another user and grant themselves elevated privileges. Once the attacker has privileges over Active Directory, they can impersonate any account known to the directory.

No Comment from Microsoft (yet)

The issue was reported on earlier today by the Register. Although Microsoft spokespeople are unwilling to comment in detail, the issue is recognized by the Microsoft Security Response Center (MSRC), who say that no workarounds are available for the vulnerability. Some workarounds are suggested in the original post, but I would be slow to make any changes before hearing from Microsoft.

Sponsored Content

Devolutions Remote Desktop Manager

Devolutions RDM centralizes all remote connections on a single platform that is securely shared between users and across the entire team. With support for hundreds of integrated technologies — including multiple protocols and VPNs — along with built-in enterprise-grade password management tools, global and granular-level access controls, and robust mobile apps to complement desktop clients.

The problem exists on all current on-premises versions of Exchange. Exchange Online is unaffected, but only because an attacker would have to penetrate the many layers of security wrapped around Exchange servers running in Office 365 datacenters.

Background communications reveal that the Exchange product group is actively working on a resolution “as quickly as possible.” While it’s impossible to say when a fix will be available, it’s reasonable to assume that the issue has caught the attention of the folks in Redmond and we should see movement soon. The best advice I can give is to keep an eye for a patch from Microsoft in the near future.



Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (2)

2 responses to “All Versions of On-Premises Exchange Server Vulnerable to New Attack”

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.