Microsoft Exchange Domain Escalation Vulnerability

A security researcher has disclosed details of a zero-day vulnerability in the Microsoft Exchange mail server.

Threat ID:: CC-2903
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 25 January 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A security researcher has disclosed details of a zero-day vulnerability in the Microsoft Exchange mail server.

Threat details

They claim this vulnerability could be exploited by a user with access to an Exchange mailbox to obtain domain administration privileges.

The vulnerability is a result of three separate components which, when combined, can result in full domain access:

High Default Exchange Permissions - By default, Exchange servers have high permissions on the Active Directory (AD) domain. Users within the ExchangeWindowsPermissions group are able to modify the domain privileges, among which is the privilege to synchronise the hashed passwords of all AD users. Access to these passwords could allow a threat actor to impersonate any other user and authenticate to any services using NT LAN Manager (NTLM) or Kerberos authentication.
NTLM Authentication Relay Attacks - The NTLM protocol itself is vulnerable to relay attacks, a form of attack where a threat actor relays messages between two or more unaware parties, over SMB and LDAP. A threat actor could use this to intercept the authentication negotiations between a legitimate user and the server, authenticating themselves in place of the user.
Exchange Automatic Authentication - Exchange includes a feature called PushSubscription that can be forced to automatically authenticate to an arbitrary URL over HTTP using NTLM authentication hashes. A threat actor can exploit this to impersonate any other Exchange user.

By adapting known exploits for these components, the researcher discovered that a threat actor could force an Exchange server to provide them with another authenticated user's NTLM credentials, which can then be used to perform a relay attack on the underlying AD domain controller, granting themselves escalated Exchange privileges in the process. They can then use these privileges to perform a hashed password synchronisation in order to impersonate any user on the AD domain.

This vulnerability relies on exploitation of the elevated AD permissions of the ExchangeWindowsPermissions group. Platforms using Active Directory Federated Services (ADFS) for authentication purposes, such as Office 365 Exchange and Exchange Online, are not vulnerable.

For further information:

Remediation steps

Type	Step
	At the time of publication, Microsoft have not directly acknowledged the vulnerability, but have suggested they do not intend to release any out-of-band updates. In the meantime, users and administrators are encouraged to implement the following partial mitigations where suitable: Enable LDAP signing and channel binding. Enable Extended Protection for Authentication for Exchange endpoints on Internet Information Services. Remove the Exchange server relay registry value. Enforce SMB signing for Exchange servers. Prevent Exchange servers from making connections to arbitrary ports. Alter Exchange privileges to remove the privileged AD access. Disable Exchange Web Services (EWS) push/pull subscriptions. Update 06 Feb 2019 Microsoft have now released an ad-hoc security advisory addressing this vulnerability. They recommend blocking all EWS subscriptions using the following throttling policy. An example of this can be seen below: Create an organization-scoped policy that blocks all EWS subscriptions: New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0 Create a regular-scoped policy, which can be used to whitelist trusted users who must have full EWS functionality: New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000 Assign the regular policy to any such users: Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions Microsoft have also stated that this workaround will affect certain services including Outlook for Mac and Skype for Business. Organisations are encouraged to perform an appropriate risk assessment to ensure that any impact from applying this workaround is manageable. Update 15 Feb 2019 Microsoft have released an update to address this vulnerability as part of their standard patching regime. Users and administrators are encouraged to review Microsoft Releases February 2019 Security Updates CC-2933 and apply the necessary updates.

Type

Step

At the time of publication, Microsoft have not directly acknowledged the vulnerability, but have suggested they do not intend to release any out-of-band updates.

In the meantime, users and administrators are encouraged to implement the following partial mitigations where suitable:

Enable LDAP signing and channel binding.
Enable Extended Protection for Authentication for Exchange endpoints on Internet Information Services.
Remove the Exchange server relay registry value.
Enforce SMB signing for Exchange servers.
Prevent Exchange servers from making connections to arbitrary ports.
Alter Exchange privileges to remove the privileged AD access.
Disable Exchange Web Services (EWS) push/pull subscriptions.

Update 06 Feb 2019

Microsoft have now released an ad-hoc security advisory addressing this vulnerability. They recommend blocking all EWS subscriptions using the following throttling policy. An example of this can be seen below:

Create an organization-scoped policy that blocks all EWS subscriptions:

New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0

Create a regular-scoped policy, which can be used to whitelist trusted users who must have full EWS functionality:
1. ```
New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000
```

Assign the regular policy to any such users:

Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions

Microsoft have also stated that this workaround will affect certain services including Outlook for Mac and Skype for Business. Organisations are encouraged to perform an appropriate risk assessment to ensure that any impact from applying this workaround is manageable.

Update 15 Feb 2019

Microsoft have released an update to address this vulnerability as part of their standard patching regime. Users and administrators are encouraged to review Microsoft Releases February 2019 Security Updates CC-2933 and apply the necessary updates.

Last edited: 14 February 2020 2:48 pm