Autodiscover password leak vulnerability known to Microsoft for 5 years

Sicherheit (Pexels, allgemeine Nutzung)[German]Another brief post in which I revisit a topic from last week. I had reported that there is a vulnerability in the Autodiscover protocol, which is used by Microsoft Exchange, that reveals passwords. In the meantime, Microsoft is trying to get register the abusable Autodiscover domains, based on the reporting. However, it has now become known that this weakness has been known at Microsoft for at least 5 years without anything happening.


The Autodiscover problem

Autodiscover is a protocol used by Microsoft Exchange to automatically configure email accounts for clients like Microsoft Outlook. The goal of the protocol is to allow an end user to fully configure their Outlook client by simply providing their username (the email address) and password, and leaving the rest of the configuration to Microsoft Exchange's Autodiscover protocol.

However, security researchers at Guardicore had recently publicly pointed out a design flaw in the autodiscover protocol used by Microsoft Exchange in the blog post Autodiscovering the Great Leak. The problem: Attackers would be able to use external autodiscover TLD domains to grab credentials. The problem is that when setting up an account, clients send a ping with the credentials (username, password, domain) to different addresses.

If the pinged Exchange server didn't sends valid log data to the client, the client tries to check additional autodiscover TLD URLs. And some mail clients send their Exchange account credentials in plain text via http. I had described this issue in more detail in the article Microsoft Exchange autodiscover design flaw leaks credentials to third party instances.  

The problem was known for 5 years

Clearly, it's a client issue, but that doesn't really make it any better. My last stand was that since the Guardicore release, Microsoft started registering the TLDs for Autodiscover (see my post Microsoft tries to register Autodiscover domains). This makes misuse by third parties for these Autodiscover TLDs impossible.

The day before I read at heise that this problem was known at Microsoft for at least five years. Website The Register published the article Microsoft snubs alert over Exchange hole on September 19, 2016. Marco van Beek had come across the above-mentioned vulnerability at the time and informed Microsoft about the problem on August 10, 2016. Van Beek wrote about it:


I recently discovered that most, if not all, Microsoft Exchange clients (e.g. Outlook, iPhone Mail App, Android Mail App, Blackberry Mail App) are happy to pass a user's password in clear text to any web server in the same domain used in an email address, and that this only requires four lines of code and a local configuration file.

Von Beek assumed an Exchange server had been hacked, while Guadicore proved via their autodiscover domains registered as honeypots that misconfigured Exchange servers could also lead to the password leak. Microsoft's response from October 2016 did not really satisfy van Beek. That's because Redmond downplayed the severity of the alleged vulnerability in Exchange's autodiscover detection. It was explained at the time that it saw no need to close the reported vulnerability. Redmond claimed at the time that its existing security advisories covered the problem. This point was disputed by Marco van Beek.

It may be that Microsoft security people didn't recognize the problem or didn't really investigate it. Long story short: The heavy attacks on Microsoft Exchange instances in the last months, as well as the Guardicore release, have probably caused a change of mind at Microsoft. All in all, however, it is anything but nice – imho.

Similar articles:
Microsoft Exchange autodiscover design flaw leaks credentials to third party instances
Microsoft tries to register Autodiscover domains
Microsoft 365-Bug: Mails aus Exchange Online und Outlook landen im Spam-Ordner
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server: Authentication bypass with ProxyToken
Exchange vulnerabilities: Will we see Hafnium II?
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server September 2021 CU (2021/09/28)
Exchange Server September 2021 CU kommt zum 28.9.2021 mit Microsoft Exchange Emergency Mitigation Service

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *