You will want to take note of this. Exchange Server zero-day exploits are very rare, which usually means you should be concerned when you hear about one.
But, before going any further – Microsoft is actively working to resolve the issue as quickly as possible, so expect to hear more from the Exchange team in the coming days.
Security Researcher Dirk-jan Mollema has recently blogged about a newly available vulnerability in Exchange and how that can be exploited to allow an attacker to obtain escalated privileges. Most Exchange Server administrators will know that Exchange Server is very closely integrated with Active Directory, and requires extensive permissions.
The attack relies on two key components to be successful.
Firstly, it relies on utilizing a man-in-the-middle attack against Exchange Server to perform an NTLM relay attack. In essence, this relies on an attacker intercepting the authentication process. This in itself isn’t an Exchange vulnerability, but as Exchange uses NTLM over various HTTP channels, it makes it susceptible to exploit.
The second component of this vulnerability relates to the ability of an attacker to force Exchange to attempt to authenticate as the computer account. To do this, the attacker can use Exchange Web Services to force Exchange Server to make a new outbound HTTP call that uses NTLM to attempt to authenticate against an arbitrary URL via the EWS Push Subscription feature.
In the meantime, Microsoft are not recommending performing any of the actions listed in Mollema’s blog, such as removing privileges. It’s worth noting though, that many organizations already block arbitrary access to Exchange Web Services URLs – and also restrict Exchange Servers from making arbitrary outbound connections to servers on the internet.
As of now, you’ll find the most up-to-date advice on Microsoft’s Security Response Center, listed under CVE-2018-8581.