Microsoft Exchange vulnerability could allow attackers to perform Privilege Escalation Attack

• Microsoft Exchange 2013 and newer verions are vulnerable to a privilege escalation zero-day which could allow attackers to gain Domain Controller admin privileges.
• Researchers noted that this zero-day is not a single issue but a combination of three security flaws that could allow attackers to escalate access from a hacked email account to the admin account of the Domain Controller.

Researchers observed that Microsoft Exchange 2013 and newer versions are vulnerable to a privilege escalation attack. They noted that Microsoft Exchange is vulnerable to a zero-day which could allow attackers with a mailbox to gain Domain Controller admin privileges using a simple Python tool.

A security researcher at FOX-IT named Dirk-jan Mollema explained about this zero-day in a blog. “If you are a company that has 1,000 computers, all that the attacker needs to do is gain control of one that gives access to an Exchange mailbox,” Mollema wrote in his blog.

Not one but three security issues

The security researcher noted that this zero-day is not a single issue but a combination of three security flaws that could allow attackers to escalate access from a hacked email account to the admin account of the Domain Controller. The three issues are,

• The attackers abuse the Exchange Web Services (EWS) feature of Microsoft Exchange servers in order to authenticate the Exchange servers on the website which is controlled by the attacker using the Windows computer account of the Exchange server.
• The Exchange server fails to set the Sign and Seal flags for the NTLM operation, leaving the NTLM authentication vulnerable to relay attacks. This allows the attacker to obtain the Exchange Server’s computer account password ‘NTLM hash’ which is used for authentication of the Exchange server on the attacker-controlled website.
• Microsoft Exchange servers are installed by default with access to many high privilege operations which allows the attacker to use the Exchange server's newly compromised computer account in order to gain admin access on a company's Domain Controller. This further allows the attacker to create more backdoor accounts at will.

Researchers confirmed that this zero-day works on Microsoft Exchange and Windows Server Domain Controllers running with fully patched versions. However, Microsoft has not released any fix or emergency patches for this zero-day vulnerability.

Mitigations

Mollema described several mitigations in his blog to prevent attackers from exploiting this zero-day vulnerability which included,

• Removing unnecessary high privileges that Microsoft Exchange has on the Domain object.
• Enabling LDAP signing and LDAP channel binding to avoid relying on LDAP.
• Enabling ‘Extended Protection for Authentication’ on Microsoft Exchange endpoints in IIS.
• Enforcing SMB signing on Exchange servers to prevent cross-protocol relay attacks to SMB.
• Removing registry key which makes relaying back to Exchange servers possible.