Microsoft Confirms Serious ‘PrivExchange’ Vulnerability

The elevated privilege flaw exists in Microsoft Exchange and would allow a remote attacker to impersonate an administrator.

Microsoft acknowledged an elevated privilege flaw in its Exchange Server could allow a remote attacker with a simple mailbox account to gain administrator privileges.

Both a Microsoft advisory and a US-CERT alert were issued on Tuesday warning users of the elevation of privilege flaw, dubbed “PrivExchange,” which has a “high severity” CVSS score of 8.3.  The flaw exists due to a perfect storm of default settings in Microsoft Exchange Server and the mail server and calendaring server that run on Windows Server operating systems. According to Microsoft, Exchange 2013 and newer versions are impacted.

Currently, Microsoft has not issued a patch to fix the bug. However, there are workaround fixes.

The advisory comes weeks after a proof of concept was released outlining how a regular Exchange mail user could utilize two Python-based tools – privexchange.py and ntlmrelayx.py – to eventually gain domain administrator privileges. Administrators have access to the entire Exchange Server organization and can perform almost any task against any Exchange Server object.

“To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user,” Microsoft said in its Tuesday advisory.

PrivExchange was first outlined in a proof of concept in a Jan. 21 post called “Abusing Exchange: One API call away from Domain Admin,” by Dirk-jan Mollema, security researcher with Fox-IT.

The proof of concept takes advantage of several default settings in Exchange, said Mollema. Firstly, Exchange has a feature (called Exchange Web Services, or EWS) which essentially allows it to authenticate to an attacker-controlled computer account from the Exchange server.

Attackers can therefore set EWS parameters (PushSubscription EWS Call) to authenticate to an Exchange server. The server then authenticates the account via NTML. NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication and is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN).

privexchange microsoft flaw

Credit: Dirk-Jan Mollema

In another default faux pas, Exchange fails to set signing and sealing flags on NTLM authentication traffic. Therefore, the attacker could perform an NTLM relay attack, where they forward the NTLM authentication to other machines on the network – specifically, that of an administrator. Because Exchange fails to flag NTLM traffic, it would not recognize this.

Finally, servers have access to high-privilege processes by default – including that of a domain controller. With admin privileges, the attacker could gain access to the domain controller which gives them an array of malicious powers.

“Because of the privileges gained by this attack attackers could control anything in active directory, such as accessing systems, reading and modifying data, and adding backdoors for persistence,” Mollema told Threatpost.

The attack is “relatively easy to carry out” and already an array of other implementations of the PoC tools have been released that allow attackers to perform the attack through an infected workstation, he told Threatpost.

While Microsoft said that a planned update is in the works, currently no solutions exist to fix the flaw. However, if Exchange users think their systems are at high risk, a workaround exists.

Potential impacted users would have OnPrem deployments, as Exchange Online is not impacted; as would have systems with NTLM, as Systems that have disabled NTLM are not affected.

To address this vulnerability, users could essentially define and apply the “Throttling Policy” for EWSMaxSubscriptions to have a value of zero.  The EwsMaxSubscriptions parameter specifies the maximum number of active “push and pull” subscriptions that an Exchange Web Services user can have on a specified Exchange server at the same time – so this would limit the number to zero and block the Exchange server from sending any notification.

“This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally,” said Microsoft. “Examples of impacted applications include Outlook for Mac, Skype for Business, notification reliant LOB applications, and some iOS native mail clients.”

Microsoft did not respond to a request for comment from Threatpost on when the upcoming fix would be; as well as whether they have seen the vulnerability being exploited in the wild.

“The workarounds Microsoft communicated are effective and I recommend sysadmins to look at implementing those till a patch is released,” Mollema told Threatpost.

Separately, Microsoft on Tuesday released its February Non-Security Microsoft updates; and acknowledged recent disruptions in its Windows Update service.

The non-security updates include updates for Microsoft Office (2010, 2013, and 2016) as well as Microsoft Outlook,  Power Point, Access, Skype for Business.

Microsoft also confirmed that recent Windows Update service connectivity issues last week was due to a “data corruption issue in an external DNS service provider global outage” on Jan. 29.

“The issue was resolved on the same day and Windows Update is now operating normally, but a few customers have continued to report issues connecting to the Windows Update service,” Microsoft said. “We expect these issues will go away as downstream DNS servers are updated with the corrected Windows Update DNS entries.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.