Microsoft Exchange 2013/2016/2019 vulnerable to remote privilege escalation

Exchange 2013 or later fails to properly authenticate and validate certain requests, allowing a remote attacker with access to an Exchange mailbox to gain full Domain Administrative privileges. CVSS Base Score: 8.3

Likelihood of exploit success

Very high - all required exploit code is publicly available.

Detections available

Monitor Domain Controller Security Events Logs for 4624 and 5136

Detection of possible exploitation of this is to monitor for Event ID 4624 on domain controllers. The events in question will originate from the NTLM authentication package under the Exchange server computer account (See SANS ISC Diary entry).

Additionally, event ID 5136 will show DACL modifications containing the targeted account’s SID (See SANS ISC Diary entry).

  1. Enable SMB and LDAP signing on affected infrastructure.
  2. If option 1 is not feasible, disable EWS push/pull subscriptions on affected Exchange servers.
  3. Monitor for related security event logs on domain controllers.

Mitigations available

Enable SMB and LDAP signing

SMB and LDAP signing defeats this exploit completely.

Disable Exchange Web Services (EWS) push/pull subscriptions.

Disabling EWS push/pull subscriptions will defeat the exploit completely. EWS will still use streaming notifications to communicate with clients. This may negatively impact Exchange clients which rely on push/pull notification functionality. This will not affect ActiveSync clients.

Prevent Exchange server from connecting to your workstations

Outlook clients should connect to the Exchange server, but the server should not be connecting to your clients directly. Preventing uninitiated outbound communication from the server can increase the difficult of successful exploitation (See SANS ISC Diary entry). This can be a somewhat complex task for the uninitiated.

References