Elevated privilege flaw in its Microsoft Exchange Server
Elevated privilege flaw in Microsoft Exchange server would allow a remote attacker to impersonate an administrator.
According to Microsoft security advisory number ADV190007,
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
PrivExchange was first outlined in a proof of concept in a Jan. 21 post called “Abusing Exchange: One API call away from Domain Admin,” by Dirk-jan Mollema, security researcher with Fox-IT.
According to Security Researcher “attack is possible by default and while no patches are available at the point of writing, there are mitigation that can be applied to prevent this privilege escalation”
In his blog researcher explains the attack, suggest some mitigations as well as release a proof-of-concept tool for this attack which he named ‘PrivExchange’.
Microsoft also suggest so workaround in there advisory saying, “To address this vulnerability, a Throttling Policy for EWSMaxSubscriptions could be defined and applied to the organization with a value of zero. This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally. Examples of impacted applications include Outlook for Mac, Skype for Business, notification reliant LOB applications, and some iOS native mail clients. Please see Throttling Policy, for more information.”
