Microsoft Exchange Vulnerability Could Allow for Privilege Escalation
January 05, 2019
A Microsoft Exchange vulnerability has been discovered, providing anyone with access to an Exchange mailbox the opportunity to elevate their privileges to become a Domain Administration.
Exposed by researcher, Dirk-jan Mollema of Fox-IT, one of the main problems is due to the fact that, ‘Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin’.
With the likelihood of exploit success, rated ‘very high’ according to Infrastructure Analyst, Chris Libby, the aftermath of an attack could be devastating. If the vulnerability is exploited, it could permit the attacker to carry out a series of malicious activities including the ability to bypass normal authentication or encryption in a computer system and attempt to impersonate any other user of the Exchange server.
Microsoft claim that to exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
According to the Dirk-jan, the vulnerability isn’t one single flaw, but a combination of three components.
The three main issues discovered were:
1. Exchange Web Services (EWS) – Microsoft Exchange supports an API called EWS, which makes it authenticate to an attacker with the computer account of the Exchange server.
2. NTLM authentication’s vulnerability to relay attacks – The authentication is done using NTLM hashes sent via HTTP, and the Exchange server also fails to set signing and sealing flags on NTLM authentication traffic, which in turn makes this authentication attempt vulnerable to NTLM relay attacks.
3. Microsoft’s Exchange Servers – Microsoft’s Exchange Servers are installed with high privileges by default in the Active Directory domain, which allows anyone within this group to change the domain privileges, including the privilege to perform DCSync operations.
Dirk-jan has also released a proof-of-concept code, dubbed PrivExchange, evidencing how the attack operates.
Check Out Our Other Recent P
A fileless malware campaign is being abused by malicious actors to drop the information stealing Astaroth Trojan into the memory of infected computers.
Intentional or not, insider threats are on the rise. Don’t take the chance; gain a better understanding in our cyber security infographic.
Locking the Door Is No Longer Enough: Required Capabilities for Identity and Access Threat Prevention
In this blog, we will define the key requirements and capabilities of IATP solutions and the drivers they should support within an organisation.