Vulnerability in Exchange Server 2010-2019

[German]From version 2010 to 2019 there is a vulnerability in Exchange Server, which should be fixed by an update sometime. However, you can deactivate the vulnerability via a registry entry – which has consequences. Addendum: In January 2019 a Proof of Concept has been published.


Exchange vulnerability CVE-2018-8581

CVE-2018-8581 describes an Elevation of Privilege vulnerability in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate another user of the Exchange server. To exploit the vulnerability, an attacker would need to perform a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange server to enable the representation of another Exchange user. It affects versions 2010 through 2019, and Microsoft plans to fix this vulnerability with an update sometime later.

Workaround to fix CVE-2018-8581

As a workaround to address this vulnerability, Microsoft suggests turning off loopback checking. To do this, go to the registry key:


in Registry Editor and delete the DisableLoopbackCheck value, which allows loopback checking. Microsoft provides the details here and suggests the following command.

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableLoopbackCheck /f


German site point out that this loopback check is needed in SharePoint (see this Technet article).

Addendum (01/26/2019): Proof of Concept published

We now have the end of January 2019, and Microsoft has still not provided a fix for these problems. On January 21, 2019 Dirk-jan Mollema published the article Abusing Exchange: One API call away from Domain Admin. And he presents a 0-day exploit to exploit the vulnerabilities. Mollema writes:

In most companies that use Active Directory and Exchange, Exchange servers have such high permissions that it is sufficient to be an administrator on an Exchange server. Then you can become a Domain Admin.

Mollema recently came across a ZDI blog in which they describe a way in which Exchange attackers using NTLM over HTTP can authenticate themselves. This can be combined with an NTLM relay attack to allow any user with an Exchange mailbox to upgrade to Domain Administrator.

Then Mollema describes in the blog post an attack, some of the more technical details and remedies. At the same time, he published a proof-of-concept tool for this attack, which he called "PrivExchange". Since there is still no patch available from Microsoft, only the registry hack described above can be used to disable DisableLoopbackCheck to secure the Exchange system.

Since the Proof of Concept was published, this story has been on the Internet. Woody Leonhard points out the facts here and The Register has also an article referencing Mollema's post.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *