Microsoft Exchange vulnerable to 'PrivExchange' zero-day

Microsoft Exchange 2013 and newer are vulnerable to a zero-day named "PrivExchange" that allows a remote attacker with just the credentials of a single lowly Exchange mailbox user to gain Domain Controller admin privileges with the help of a simple Python tool.

Also: What's next on the Microsoft hardware front

Details about this zero-day have been made public last week by Dirk-jan Mollema, a security researcher with Dutch cyber-security firm Fox-IT.

According to the researcher, the zero-day isn't one single flaw, but a combination of three (default) settings and mechanisms that an attacker can abuse to escalate his access from a hacked email account to the admin of the company's internal domain controller (a server that handles security authentication requests within a Windows domain). The three issues, according to Mollema, are:

1. Microsoft Exchange servers have a feature called Exchange Web Services (EWS) that attackers can abuse to make the Exchange servers authenticate on an attacker-controlled website with the computer account of the Exchange server.
2. This authentication is done using NTLM hashes sent via HTTP, and the Exchange server also fails to set the Sign and Seal flags for the NTLM operation, leaving the NTLM authentication vulnerable to relay attacks, and allowing the attacker to obtain the Exchange server's NTLM hash (Windows computer account password).
3. Microsoft Exchange servers are installed by default with access to many high privilege operations, meaning the attacker can use the Exchange server's newly compromised computer account to gain admin access on a company's Domain Controller, giving them the ability to create more backdoor accounts at will.

The PrivExchange attack has been confirmed to work on Exchange and Windows Server DCs (Domain Controllers) running with fully-patched versions.

Microsoft has not released any emergency patches for the PrivExchange vulnerability. However, Mollema has included several mitigations in his blog that system administrators can deploy to prevent attackers from exploiting this zero-day and getting control over their companies' server infrastructure.

Must read

• This is not your father's Microsoft  (CNET)
  
• How Python made it big at Microsoft (TechRepublic)
  

This article from the CERT/CC team from Carnegie Mellon University also details the same mitigations.

The PrivExchange vulnerability should not be taken lightly. It is both easy to carry out thanks to the availability of a ready-made proof-of-concept tool, but also because it grants attackers full control over a company's Windows IT infrastructure, the Holy Grail of most hacker groups.

Related stories:

• Microsoft cloud services see global authentication outage
  
• Making sense of Microsoft's approach to AI
  
• Microsoft guy: Mozilla should give up on Firefox
  

More security coverage:

• LocalBitcoins blames security breach on forum 'third-party software'
• WordPress sites under attack via zero-day in abandoned plugin
• Concerns raised about WordPress' new 'White Screen Of Death' protection feature
• Malvertising campaign targets Apple users with malicious code hidden in images
  
• Hackers are going after Cisco RV320/RV325 routers using a new exploit
• Internet experiment goes wrong, takes down a bunch of Linux routers
• Brave browser can now show ads, and soon you'll get 70% of the money CNET
  
• Why cryptojacking will become an even larger problem in 2019 TechRepublic