{"id":7746,"date":"2018-11-20T00:09:00","date_gmt":"2018-11-19T23:09:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=7746"},"modified":"2022-05-12T06:13:37","modified_gmt":"2022-05-12T04:13:37","slug":"vulnerability-in-exchange-server-2010-2019","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/11\/20\/vulnerability-in-exchange-server-2010-2019\/","title":{"rendered":"Vulnerability in Exchange Server 2010-2019"},"content":{"rendered":"

[German<\/a>]From version 2010 to 2019 there is a vulnerability in Exchange Server, which should be fixed by an update sometime. However, you can deactivate the vulnerability via a registry entry – which has consequences. Addendum: In January 2019 a Proof of Concept has been published.<\/p>\n

<\/p>\n

Exchange vulnerability CVE-2018-8581<\/h2>\n

CVE-2018-8581<\/a> describes an Elevation of Privilege vulnerability in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate another user of the Exchange server. To exploit the vulnerability, an attacker would need to perform a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange server to enable the representation of another Exchange user. It affects versions 2010 through 2019, and Microsoft plans to fix this vulnerability with an update sometime later.<\/p>\n

Workaround to fix CVE-2018-8581<\/h2>\n

As a workaround to address this vulnerability, Microsoft suggests turning off loopback checking. To do this, go to the registry key:<\/p>\n

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa<\/p>\n

in Registry Editor and delete the DisableLoopbackCheck<\/em> value, which allows loopback checking. Microsoft provides the details here<\/a> and suggests the following command.<\/p>\n

reg delete HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa \/v DisableLoopbackCheck \/f<\/em><\/p>\n

German site administrator.de point out that this loopback check is needed in SharePoint (see this Technet article<\/a>).<\/p>\n

Addendum (01\/26\/2019): Proof of Concept published<\/h2>\n
\n
\n<\/div>\n

We now have the end of January 2019, and Microsoft has still not provided a fix for these problems. On January 21, 2019 Dirk-jan Mollema published the article Abusing Exchange: One API call away from Domain Admin<\/a>. And he presents a 0-day exploit to exploit the vulnerabilities.\u00a0Mollema writes:<\/p>\n

In most companies that use Active Directory and Exchange, Exchange servers have such high permissions that it is sufficient to be an administrator on an Exchange server. Then you can become a Domain Admin.<\/p><\/blockquote>\n

Mollema recently came across a ZDI blog in which they describe a way in which Exchange attackers using NTLM over HTTP can authenticate themselves. This can be combined with an NTLM relay attack to allow any user with an Exchange mailbox to upgrade to Domain Administrator.<\/p>\n

Then Mollema describes in the blog post an attack, some of the more technical details and remedies. At the same time, he published a proof-of-concept tool<\/a> for this attack, which he called \"PrivExchange\".\u00a0Since there is still no patch available from Microsoft, only the registry hack described above can be used to disable DisableLoopbackCheck to secure the Exchange system.<\/p>\n

Since the Proof of Concept was published, this story has been on the Internet. Woody Leonhard points out the facts here<\/a> and The Register has also an article<\/a>\u00a0referencing Mollema's post.<\/p>\n

<\/div>\n","protected":false},"excerpt":{"rendered":"

[German]From version 2010 to 2019 there is a vulnerability in Exchange Server, which should be fixed by an update sometime. However, you can deactivate the vulnerability via a registry entry – which has consequences. Addendum: In January 2019 a Proof … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[1692,69],"class_list":["post-7746","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-exchange-server","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/7746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=7746"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/7746\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=7746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=7746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=7746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}