[German]There is a “PrivExchange” vulnerability in all Microsoft Exchange server versions. Now Microsoft published the new Security Advisory ADV190007 on February 5, 2019.
What we know so far
This is a topic that I have already addressed several times within this blog. In all versions of Exchange Server (2010 to 2019), there is a vulnerability that allows privilege escalation.
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
The attacker must have a mailbox on the Exchange server. He can then use a man-in-the-middle attack to impersonate another user and gain administrator rights. All in all, the following vulnerabilities exist that make this attack possible:
- By default, Exchange servers have too high privileges for user accounts.
- NTLM authentication is vulnerable to relay attacks
- Exchange has a feature that allows an attacker to authenticate with the Exchange server’s computer account.
I’ve reported about this within my blog post Vulnerability in Exchange Server 2010-2019. Till now, no patch to fix the vulnerabilies is available. In January 2019 a security researcher released a proof of concept for an attack, to gain AD administrator rights on an Exchange Server. I’ve written about that within my blog post AD and Exchange Server vulnerable via EWS API.
Microsoft Security Advisory ADV190007
I guess, as a consequence of the proof of concept, mentioned above, Microsoft has released Security Advisory ADV190007 on February 5, 2019. If an administrator determines that his Exchange server system is at high risk then he should evaluate the workaround proposed from Microsoft. Microsoft says:
To address this vulnerability, a Throttling Policy for EWSMaxSubscriptions could be defined and applied to the organization with a value of zero. Please see Throttling Policy, for more information.
The Trottling Policy may be set using the following PowerShell command:
New-ThrottlingPolicy -Name AllUsersEWSSubscriptionBlockPolicy -EwsMaxSubscriptions 0 -ThrottlingPolicyScope Organization
This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally. Examples of impacted applications include Outlook for Mac, Skype for Business, notification reliant LOB applications, and some iOS native mail clients.
Microsoft is working on an update, but does not specify a release date. Once the update is later available and has been installed, the Throttling Policy EWSMaxSubscriptions can be removed using the PowerShell command:
Remove-ThrottlingPolicy -Identity AllUsersEWSSubscriptionBlockPolicy
Further details may be obtained at ADV190007.