Microsoft confirms critical Exchange vulnerability

This privilege escalation flaw would allow a remote attacker to impersonate an administrator

Microsoft has confirmed the existence of privilege escalation vulnerability on the Exchange server that is considered critical. According to network security and ethical hacking specialists from the International Institute of Cyber Security, this flaw could allow a hacker with a simple mailbox account to gain administrator privileges.

Both Microsoft and US-CERT had alerted in recent days about this error, known as ‘PrivExchange’, mentioning that it has a score of 8.3/10 in the Common Vulnerability Scoring System (CVSS) scale. According to experts, the vulnerability exists due to multiple errors in the default configurations, the email server, and the Exchange server calendar. The vulnerability affects versions 2013 and later ones.

Microsoft has not yet released update patches to fix that vulnerability; however, network security specialists mention that there are other risk mitigation methods. 

A week ago a proof of concept was published that describes how an Exchange user can use two Python-written tools to obtain domain admin privileges. In response, Microsoft stated: “To exploit this failure, the attacker would have to run a Man-in-the-Middle attack to forward an authentication request to Exchange Server, which would allow for identity spoofing”.

The PrivExchange vulnerability was first described by the network security expert Dirk-Jan Mollema, who developed a proof of concept to exploit some default Exchange configurations. According to Mollema, attackers can configure the EWS parameters to authenticate to an Exchange server and then authenticate the account using NTML (a set of security protocols for Microsoft).

Another default configuration error is that Exchange does not establish signatures in NTLM authentication traffic, so a malicious user could perform an NTLM forwarding attack to other computers on the administrator’s network.

Finally, servers have access to high privilege processes by default, including the domain controller. With administrator privileges, the attacker could gain access to the domain controller, which can be useful for multiple hacking activities.

“Due to privileges granted by exploiting this vulnerability, an attacker could control anything in the Active Directory, such as system access, data reading and modification, and backdoor implementation to ensure persistence of vulnerability”, Mollema mentioned.

The specialist added: “Performing this attack is relatively easy, and some other implementations of the tools used in the concept test that allow the attack to be carried out through an infected workstation have already been launched”.

Microsoft has not published updates for this vulnerability, although there are ways to mitigate attack risks. Potential affected users would have OnPrem implementations because Exchange Online is not affected; how NTLM systems would be, because the systems that have disabled NTLM are not affected.

To address this vulnerability, users could define and apply the “constraint policy” so that EWSMax subscriptions have a value of zero. The EwsMaxSubscriptions parameter specifies the maximum number of active subscriptions for “insertion and extraction” that a user of Exchange Web services can have at the same time on a specific Exchange server, thus limiting the number to zero and It would prevent the Exchange server from sending notifications.