Forum Discussion
Tenable published a blog [1] earlier today about a critical...
Tenable published a blog [1] earlier today about a critical privilege escalation bug [2] in fully patched Microsoft Exchange 2013/2016 that would reportedly allow a standard Exchange user to elevate their privileges to that of a Domain Administrator via publicly available exploit code [3]. This bug is caused by a protocol flaw in NT Lan Manager (NTLM) and several vulnerabilities in Microsoft Exchange.
Coverage for these flaws is provided for by Tenable's November Patch Tuesday release [4] as well as via configuration .audit checks available on our .audit download page[5].
For more information, check out our blog.
References:
[1] https://www.tenable.com/blog/proof-of-concept-code-gives-standard-microsoft-exchange-users-domain-administrator-privileges
[2] https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
[3] https://github.com/dirkjanm/privexchange/
[4] https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2018-8581%22)&sort=&page=1
[5] https://www.tenable.com/downloads/audit
1 Reply
Update: Microsoft published[1] a security advisory (ADV190007) that includes a Throttling Policy[2] that will mitigate this vulnerability until a software update. Additionally, they noted that the vulnerability described in the blog post below only affects on-prem deployments of Microsoft Exchange. Microsoft notes in the advisory that this workaround might disrupt some functions in Outlook for Mac, Skype for Business Client, Apple Mail Clients and third-party applications.
[1]https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
[2]https://docs.microsoft.com/en-us/powershell/module/exchange/server-health-and-performance/New-ThrottlingPolicy?view=exchange-ps
