Dutch security researcher Dirk-Jan Mollema caused a stir when he reported an Exchange Server vulnerability that exploits the privileges Exchange has over Active Directory. The fact that Exchange can write into and change Active Directory permissions is not new as the situation has existed since Exchange 2000 adopted Active Directory in 1999.
What is new is the combination of the server’s access to Active Directory, NTLM authentication, and a weakness within the push subscription model used by Exchange Web Services. Essentially, the weakness allowed an attacker to impersonate another user and grant themselves elevated privileges. Once the attacker has privileges over Active Directory, they can impersonate any account known to the directory.
The issue was reported on earlier today by the Register. Although Microsoft spokespeople are unwilling to comment in detail, the issue is recognized by the Microsoft Security Response Center (MSRC), who say that no workarounds are available for the vulnerability. Some workarounds are suggested in the original post, but I would be slow to make any changes before hearing from Microsoft.
The problem exists on all current on-premises versions of Exchange. Exchange Online is unaffected, but only because an attacker would have to penetrate the many layers of security wrapped around Exchange servers running in Office 365 datacenters.
Background communications reveal that the Exchange product group is actively working on a resolution “as quickly as possible.” While it’s impossible to say when a fix will be available, it’s reasonable to assume that the issue has caught the attention of the folks in Redmond and we should see movement soon. The best advice I can give is to keep an eye for a patch from Microsoft in the near future.