Microsoft Exchange Vulnerable to Privilege Escalation

Fox-IT security researcher Dirk-jan Mollema discovered that by combining three known vulnerabilities, threat actors could escalate the privileges of any user with a Microsoft Exchange mailbox to Domain Admin access. Mollema accomplished this by exploiting Exchange’s high privileges in the Active Directory domain, NTLM authentication’s vulnerability to relay attacks, and the ability to authenticate to an threat actor-controlled website with the computer account of the Exchange server. At the time of writing, there is no fix; however, Mollema suggested several mitigations to combat this threat. A proof-of-concept tool to carry out such an attack has also been released. The NJCCIC recommends affected users and administrators of Microsoft Exchange 2013 and newer apply the mitigations provided by Mollema until patches become available. More information on the vulnerabilities, technical details, and mitigations can be found on Mollema’s website.

AdvisoryNJCCICMicrosoft