Another brief information for Exchange administrators. There is an unpatched vulnerability (CVE-2018-8581) on all Exchange Server versions that could be used by remote attackers to take over the machine.
On 21 January 2019 Dirk-jan Mollema published a Proof-of-Concept (PoC) to upgrade to AD administrator via user account on an Exchange server. The Register then picked up this up in this article. Since then, reports of the vulnerability identified by CVE-2018-8581 have been spreading around the internet. I read some articles, saying, that this vulnerability has been known since December 2018.
When I then read about the workaround to deactivating the DisableLoopbackCheck registry value, I briefly searched my blog. I noticed that in November 2018 I already blogged about this unpatched vulnerability on all Exchange Server versions. The details, including the registry hack to mitigate the vulnerability has been discussed with my Nov. 2018 article Vulnerability in Exchange Server 2010-2019. Now I’ve added the information that became public in January 2019.