You will want to take note of this. Exchange Server zero-day exploits are very rare, which usually means you should be concerned when you hear about one.
But, before going any further – Microsoft is actively working to resolve the issue as quickly as possible, so expect to hear more from the Exchange team in the coming days.
Security Researcher Dirk-jan Mollema has recently blogged about a newly available vulnerability in Exchange and how that can be exploited to allow an attacker to obtain escalated privileges. Most Exchange Server administrators will know that Exchange Server is very closely integrated with Active Directory, and requires extensive permissions.
The attack relies on two key components to be successful.
Firstly, it relies on utilizing a man-in-the-middle attack against Exchange Server to perform an NTLM relay attack. In essence, this relies on an attacker intercepting the authentication process. This in itself isn’t an Exchange vulnerability, but as Exchange uses NTLM over various HTTP channels, it makes it susceptible to exploit.
The second component of this vulnerability relates to the ability of an attacker to force Exchange to attempt to authenticate as the computer account. To do this, the attacker can use Exchange Web Services to force Exchange Server to make a new outbound HTTP call that uses NTLM to attempt to authenticate against an arbitrary URL via the EWS Push Subscription feature.
In the meantime, Microsoft are not recommending performing any of the actions listed in Mollema’s blog, such as removing privileges. It’s worth noting though, that many organizations already block arbitrary access to Exchange Web Services URLs – and also restrict Exchange Servers from making arbitrary outbound connections to servers on the internet.
As of now, you’ll find the most up-to-date advice on Microsoft’s Security Response Center, listed under CVE-2018-8581.
Hello,
I went from CU8 to CU15 with the security patch and now Outlook for Mac can not connect. Any ideas?
Thanks!!
Updated Exchange 2016 from CU 8 to CU 15 with the patch and now Outlook for Mac clients having all kinds of disconnect issues. Any ideas?
Thanks
Just now:
https://support.microsoft.com/en-us/help/4345836/cumulative-update-22-for-exchange-server-2013
Just released, the offical fixes for 4 Exchange server versions: Exchange 2019, 2016, 2013 and 2016.
Here’s the blog post with more information about it:
https://blogs.technet.microsoft.com/exchange/2019/02/12/released-february-2019-quarterly-exchange-updates/
Is the exchange server vulnerable if it can not be accessed via HTTP?
Here you are updated info guys
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
Would anyone happen to know how exploitable this 0-day is remotely?
What are the vectors?
Our Exchange environment is not accessible externally, would an attacker need to gain access to an internal machine to utilize this exploit, or could an attacker utilize this exploit by crafting an email and send it inbound from externally, as was the case with past exploits?
I raised a support case with MS on this issue. They stated that according to the Exchange Product Group, the regkey documented in CVE-2018-8581 does not fix the vulnerability. It will be fully fixed in a future security patch/CU. In the meantime they provided me with an EWS Log Scanner (CVE20188581EWSLogScanner.exe) to check for EWS push subscriptions, and also ‘recommended per your preference’ that we consider disabling EWS Push Subscriptions. If you have Outlook for Mac users with mailboxes on your on-premises Exchange servers, do not disable EWS Push Subs as it will break their mailbox access via Outlook.
How do you disable EWS push subscriptions? Could you list detailed steps?
Does it have any other impact besides ‘Outlook for Mac’ users?
To disable EWS subscriptions from being created, use the following steps:
1. Create an organization-scoped policy that blocks all EWS subscriptions:
New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0
2. Create a regular-scoped policy, which can be used to whitelist trusted users who must have full EWS functionality:
New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000
3. Assign the regular policy to any such MAC users:
Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions
Here you are the info you need
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
Is there a readily available location to obtain that EWS Log Scanner tool you mentioned?
Thanks,
Does this affect Exchange 2010 servers ?
Has anyone been able to POC exploit this through an edge server with arr proxy sending back connections from a DMZ?
Does this affect Office 365 / Exchange Online somehow?
No, Office 365 / Exchange Online is not affected.
Good info – thanks Steve.
The CVE states that there is no workaround for this vulnerability but also that the vulnerability cannot be exploited if the registry key is removed… Can you harmonize those two statements?
Agreed, what does this mean? Should we be removing DisableLoopbackCheck? What issues can removing that cause?
Good points. But the FAQ says
“The vulnerability described by CVE-2018-8581 is UNexploitable if the DisableLoopbackCheck registry value is removed.”
Meaning cannot be exploited.
I would still like to see what Steve has to say about this though.
Great information, thank you.