All Versions of On-Premises Exchange Server Vulnerable to New Attack
Exploiting Active Directory
Dutch security researcher Dirk-Jan Mollema caused a stir when he reported an Exchange Server vulnerability that exploits the privileges Exchange has over Active Directory. The fact that Exchange can write into and change Active Directory permissions is not new as the situation has existed since Exchange 2000 adopted Active Directory in 1999.
What is new is the combination of the server’s access to Active Directory, NTLM authentication, and a weakness within the push subscription model used by Exchange Web Services. Essentially, the weakness allowed an attacker to impersonate another user and grant themselves elevated privileges. Once the attacker has privileges over Active Directory, they can impersonate any account known to the directory.
No Comment from Microsoft (yet)
The issue was reported on earlier today by the Register. Although Microsoft spokespeople are unwilling to comment in detail, the issue is recognized by the Microsoft Security Response Center (MSRC), who say that no workarounds are available for the vulnerability. Some workarounds are suggested in the original post, but I would be slow to make any changes before hearing from Microsoft.
The problem exists on all current on-premises versions of Exchange. Exchange Online is unaffected, but only because an attacker would have to penetrate the many layers of security wrapped around Exchange servers running in Office 365 datacenters.
Background communications reveal that the Exchange product group is actively working on a resolution “as quickly as possible.” While it’s impossible to say when a fix will be available, it’s reasonable to assume that the issue has caught the attention of the folks in Redmond and we should see movement soon. The best advice I can give is to keep an eye for a patch from Microsoft in the near future.
More in Exchange Server
M365 Changelog: Get-AdvancedThreatProtectionDocumentReport and Get-AdvancedThreatProtectionDocumentDetail to be retired
May 24, 2022 | Petri Staff
M365 Changelog: (Updated) Microsoft Defender for Office 365: Updates to URL Protection Report
May 24, 2022 | Petri Staff
M365 Changelog: Safe Links Global Settings Migrated to Custom Policies
May 20, 2022 | Petri Staff
Microsoft to Ship Some Exchange Server Security Updates in .EXE Packages
May 11, 2022 | Rabia Noureen
M365 Changelog: Exchange Transport Rule Report moving to the new Exchange Admin Center (EAC) from the Security and Compliance Center
Apr 22, 2022 | Petri Staff
Hive Ransomware Group Attacks Vulnerable Microsoft Exchange Servers
Apr 22, 2022 | Rabia Noureen
Most popular on petri