Microsoft confirmed that an elevated privilege vulnerability in its Exchange Server could enable a remote attacker exploiting the flaw to take administrative control of an exposed system. All any user needs to exploit the vulnerability to escalate to domain admin is an Exchange mailbox.
The vendor issued an advisory, supplemented by a United States Computer Emergency Readiness Team (US-CERT) alert, warning users of the potential exposure.
“An elevation of privilege vulnerability exists in Microsoft Exchange Server,” Microsoft said. “An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.”
Vulnerability CVE-2019-0547, has been given Microsoft’s highest Exploit Index rating, meaning the bug is highly exploitable. “Receiving emails is a large part of what Exchange is and if not fixed, can be detrimental to your company’s network. Failed exploit attempts can result in denial-of-service conditions,” Secrutiny, a London-based managed security services provider said in a blog post.
At this point, Microsoft has not issued a software patch to resolve the issue but there are workarounds. “A planned update is in development. If you determine that your system is at high risk then you should evaluate the proposed workaround,” the vendor said. Microsoft has “strongly encouraged” customers to test the workarounds before deploying them.
This from the CERT’s Coordination Center's Vulnerability Note VU#465632:
“An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user's password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as an Exchange user.”
Dirk-jan Mollema, of Fox-IT, who exposed the vulnerability and dubbed it “PrivExchange,” estimated that 90 percent of organizations he’d seen that use Exchange are vulnerable to the escalation. Dirk-jan has also released a proof-of-concept code detailing how the attack operates.