[English]Trend Micro's Zero Day Initiative (ZDI) has just published four unpatched vulnerabilities (so-called 0-Days) in Microsoft Exchange. These were reported to Microsoft in September 2023 and ZDI classifies them with CVSS scores of 7.1 to 7.5. Microsoft's security experts do not consider the vulnerabilities to be so serious that they require immediate action (authentication is required for exploitation). The Microsoft developers have announced fixes "for later". This is why the Zero Day Initiative has gone public, as they still see the possibility of RCE attacks and data theft.
Advertising
I became aware of this article from my colleagues at Bleeping Computer tonight via the following tweet – they have summarized the details. A blog reader also pointed out the facts to me by email this morning (thanks for that).
Four 0-days in Microsoft Exchange
On September 7 and 8, 2023, Trend Micro's Zero-Day Initiative (ZDI) reported four previously unknown and (at the time of reporting) unpatched vulnerabilities to Microsoft. Although the security experts have confirmed the vulnerabilities to the Zero Day Initiative (ZDI), they do not consider them serious enough to respond immediately with updates. Fixes are "planned for later". However, the Zero-Day Initiative (ZDI) takes a fundamentally different view and has published the following security advisories on the vulnerabilities as of November 2, 2023.
- ZDI-23-1578: ChainedSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability; (CVSS-Index 7.5); A Remote Code Execution (RCE) error in the 'ChainedSerializationBinder' class where user data is not sufficiently validated. Allows attackers to deserialize untrusted data. If successfully exploited, an attacker can execute arbitrary code as 'SYSTEM', the highest authorization level under Windows.
- ZDI-23-1579: DownloadDataFromUri Server-Side Request Forgery Information Disclosure Vulnerability; (CVSS-Index 7.1); This vulnerability is located in the method "DownloadDataFromUri" and is due to insufficient validation of a URI before accessing resources. Attackers can exploit this to access sensitive information from Exchange servers.
- ZDI-23-1580: DownloadDataFromOfficeMarketPlace Server-Side Request Forgery Information Disclosure Vulnerability; (CVSS-Index 7.1); This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability.
- ZDI-23-1581: CreateAttachmentFromUri Server-Side Request Forgery Information Disclosure Vulnerability; (CVSS-Index 7.1); This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability.
Exploitation of the vulnerabilities requires – as it currently looks – authentication of the attacker, which may be the reason for Microsoft's decision not to patch immediately. However, it cannot always be assumed that attackers cannot find a way to authenticate in the system and then exploit the vulnerability.
ZDI currently only sees the strategy of countering attacks by restricting interaction options with Exchange servers. How well this can be implemented by administrators in companies is another matter. This puts the ball in the administrators' court, as according to the following statement, Microsoft is not saying when patches can be expected, as the vulnerabilities have not been classified as serious enough to require immediate action.
Advertising
Microsoft's statement
welcomes the work of the security researchers who discovered the vulnerabilities and reported them in advance. The company is also endeavoring to take the necessary steps to protect its customers. However, when reviewing the reports, it was found that the vulnerabilities have either already been fixed (probably in the latest security updates) or do not meet the requirements for immediate remediation according to Microsoft's guidelines for classifying the severity of vulnerabilities. Microsoft's developers will therefore check whether they can be fixed in future product versions and updates.
Advertising