You will want to take note of this. Exchange Server zero-day exploits are very rare, which usually means you should be concerned when you hear about one.

But, before going any further – Microsoft is actively working to resolve the issue as quickly as possible, so expect to hear more from the Exchange team in the coming days.

Security Researcher Dirk-jan Mollema has recently blogged about a newly available vulnerability in Exchange and how that can be exploited to allow an attacker to obtain escalated privileges. Most Exchange Server administrators will know that Exchange Server is very closely integrated with Active Directory, and requires extensive permissions.

The attack relies on two key components to be successful.

Firstly, it relies on utilizing a man-in-the-middle attack against Exchange Server to perform an NTLM relay attack. In essence, this relies on an attacker intercepting the authentication process. This in itself isn’t an Exchange vulnerability, but as Exchange uses NTLM over various HTTP channels, it makes it susceptible to exploit.

The second component of this vulnerability relates to the ability of an attacker to force Exchange to attempt to authenticate as the computer account. To do this, the attacker can use Exchange Web Services to force Exchange Server to make a new outbound HTTP call that uses NTLM to attempt to authenticate against an arbitrary URL via the EWS Push Subscription feature.

In the meantime, Microsoft are not recommending performing any of the actions listed in Mollema’s blog, such as removing privileges. It’s worth noting though, that many organizations already block arbitrary access to Exchange Web Services URLs – and also restrict Exchange Servers from making arbitrary outbound connections to servers on the internet.

As of now, you’ll find the most up-to-date advice on Microsoft’s Security Response Center, listed under CVE-2018-8581.

About the Author

Steve Goodman

Technology Writer and Chief Editor for AV Content at Practical 365, focused on Microsoft 365. A 12-time Microsoft MVP, author of several technology books and regular Microsoft conference speaker. Steve works at Advania in the UK as Field Chief Technology Officer, advising business and IT on the best way to get the most from Microsoft Cloud technology.

Comments

  1. David

    Hello,
    I went from CU8 to CU15 with the security patch and now Outlook for Mac can not connect. Any ideas?
    Thanks!!

  2. David

    Updated Exchange 2016 from CU 8 to CU 15 with the patch and now Outlook for Mac clients having all kinds of disconnect issues. Any ideas?
    Thanks

  3. Twally

    Is the exchange server vulnerable if it can not be accessed via HTTP?

  4. Tom R.

    Would anyone happen to know how exploitable this 0-day is remotely?
    What are the vectors?
    Our Exchange environment is not accessible externally, would an attacker need to gain access to an internal machine to utilize this exploit, or could an attacker utilize this exploit by crafting an email and send it inbound from externally, as was the case with past exploits?

  5. Tim Read

    I raised a support case with MS on this issue. They stated that according to the Exchange Product Group, the regkey documented in CVE-2018-8581 does not fix the vulnerability. It will be fully fixed in a future security patch/CU. In the meantime they provided me with an EWS Log Scanner (CVE20188581EWSLogScanner.exe) to check for EWS push subscriptions, and also ‘recommended per your preference’ that we consider disabling EWS Push Subscriptions. If you have Outlook for Mac users with mailboxes on your on-premises Exchange servers, do not disable EWS Push Subs as it will break their mailbox access via Outlook.

    1. Fiona

      How do you disable EWS push subscriptions? Could you list detailed steps?
      Does it have any other impact besides ‘Outlook for Mac’ users?

      1. Ehab Shahin

        To disable EWS subscriptions from being created, use the following steps:
        1. Create an organization-scoped policy that blocks all EWS subscriptions:
        New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0
        2. Create a regular-scoped policy, which can be used to whitelist trusted users who must have full EWS functionality:
        New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000
        3. Assign the regular policy to any such MAC users:
        Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions

    2. Forrest

      Is there a readily available location to obtain that EWS Log Scanner tool you mentioned?

      Thanks,

  6. Mitty

    Does this affect Exchange 2010 servers ?

  7. Michael

    Has anyone been able to POC exploit this through an edge server with arr proxy sending back connections from a DMZ?

  8. Marc

    Does this affect Office 365 / Exchange Online somehow?

    1. Sigi Jagott

      No, Office 365 / Exchange Online is not affected.

  9. Darwin Lee

    Good info – thanks Steve.

  10. Joe Sutherland

    The CVE states that there is no workaround for this vulnerability but also that the vulnerability cannot be exploited if the registry key is removed… Can you harmonize those two statements?

    1. Cody Kloepfel

      Agreed, what does this mean? Should we be removing DisableLoopbackCheck? What issues can removing that cause?

      1. Mike

        Good points. But the FAQ says

        “The vulnerability described by CVE-2018-8581 is UNexploitable if the DisableLoopbackCheck registry value is removed.”

        Meaning cannot be exploited.

        I would still like to see what Steve has to say about this though.

  11. Gerard Toscano

    Great information, thank you.

Leave a Reply