News

Exchange Open to Escalation-of-Privilege Attacks, Warn Researchers

• By Kurt Mackie
• 01/31/2019

Exchange Server versions from Exchange Server 2013 and newer have a vulnerability that could permit the impersonation of any user, leading to "control of an affected system," according to researchers from the U.S. Computer Emergency Readiness Team (UC-CERT).

US-CERT noted the flaw this week, though Microsoft warned about it back in November in an advisory. It was assigned the common vulnerabilities and exposures number of CVE-2018-8581.

The CERT Coordination Center described it as a "NTLM relay attack" vulnerability, which affects Exchange Server 2013 and newer Exchange Server versions, in a vulnerability note. The vulnerability is present because Exchange Server fails to set "signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange Server."

An attack can occur if the attacker has "credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller," US-CERT noted. It can also happen without the attacker having an Exchange user's password, according to researchers. US-CERT recommended disabling Exchange Web Services push/pull subscriptions and removing Exchange privileges on the domain object, but noted that those measures aren't supported by Microsoft.

Microsoft had described the vulnerability as an elevation-of-privilege issue for Exchange Server, and suggested that a so-called "man-in-the-middle" type of approach would be needed to exploit it. Microsoft's advisory gave it an Exploitability Assessment ranking of "2," for "less likely" to be exploited, as well as an "Important" severity ranking. Right now, there's no software patch for the vulnerability, nor is there a workaround. Instead, Microsoft's advisory suggested altering the Registry to delete a DisableLoopbackCheck value as a stop-gap approach.

However, a Jan. 29 post by the SANS Institute's Internet Storm Center suggested that Microsoft's recommendation won't address the vulnerability:

Note that the deletion of registry key as specified in Microsoft's advisory for CVE-2018-8581 does not fix this vulnerability! It prevents a malicious user from impersonating another user on the Exchange server, but not on a Domain Controller, through LDAP. Additionally, I have installed patches on an Exchange 2016 servers, and the registry key was not removed (even though Microsoft's advisory says that they will remove it).

The SANS Institute post indicated that "Exchange 2013, 2019 and 2019 have been confirmed as vulnerable." The vulnerability isn't present on Exchange Server 2010 because it has a signing capability that's lacking in the later products. The vulnerability status of Exchange Server 2007 is "unknown at this time."

Trend Micro's Zero Day Initiative team apparently first described how the Exchange Server vulnerability works back in December. The vulnerability allows anyone to impersonate anyone else on an Exchange Server-based network. It could be used in spear-phishing campaigns.

"While this bug certainly could be used for some interoffice hijinks, it's much more likely that this vulnerability would be used in a spear phishing campaign, data exfiltration, or other malware operation," the ZDI team wrote.

Security researcher Dirk-jan Mollema provided his description of the vulnerability in this blog post. He suggested that Exchange Servers have privileges within an organization's Active Directory that are too high. The vulnerability could be used to escalate privileges to the "Domain Admin" level via "golden tickets," based on the ZDI team's analysis. It's especially possible to carry out the exploit when the attacker uses "NTLM over HTTP," he added.

"This [vulnerability] can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I've seen that use Exchange," Mollema wrote.

Mollema also suggested that compromised credentials aren't needed to perform the attack: "If an attacker is only in a position to perform a network attack, but doesn't have any credentials, it is still possible to trigger Exchange to authenticate."

Mollema offered a bulleted list of suggestions on how to address the Exchange Server vulnerability. It includes removing the "unnecessary high privileges that Exchange has on the Domain object" and enabling LDAP signing. Organizations can also "block Exchange servers from making connections to workstations on arbitrary ports," among other tips. He also recommended carrying out Microsoft's recommendation.

The Center for Internet Security also weighed in on the Exchange Server vulnerability in a Jan. 29 advisory. The nonprofit group assigned it a risk of "High" for large entities and "Medium" for small ones, in contrast to Microsoft's weightings.

Microsoft's advisory does suggest that it will deliver a future cumulative update to Exchange Server that will delete a problematic registry value with regard to NTLM, although the timing wasn't mentioned.

"To address this vulnerability, a registry value which enables NTLM authentication on the network loopback adapter needs to be removed," the advisory stated. "Future cumulative updates will ensure that this registry setting is configured correctly during installation of the cumulative update."