MS Exchange Server vulnerability gives hackers admin privileges

2 minute read
microsoft Exchange Server vulnerability

Home » News » MS Exchange Server vulnerability gives hackers admin privileges

A new vulnerability has been found in Microsoft Exchange Server 2013, 2016 and 2019. This new vulnerability is called PrivExchange and is actually a zero-day vulnerability.

Exploiting this security hole, an attacker can gain Domain Controller admin privileges using the credentials of an exchange mailbox user with the help of simple Python tool.

This new vulnerability was highlighted by a researcher Dirk-Jan Mollema on his personal blog a week ago. In his blog, he discloses important information about PrivExchange zero-day vulnerability.

He writes that this is not a single flaw whether comprises of 3 components which are combined to escalate the access of an attacker from any user with a mailbox to Domain Admin.

These three flaws are:

  • Exchange Servers have (too) high privileges by default
  • NTLM authentication is vulnerable to relay attacks
  • Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server.

According to the researcher, the whole attack can be performed using the two tools named privexchange .py and ntlmrelayx. However, the same attack is still possible if an attacker lacks necessary user credentials.

In such circumstances, modified httpattack.py can be utilized with the ntlmrelayx to perform the attack from a network perspective without any credentials.

How to mitigate Microsoft Exchange Server vulnerabilities

No patches to fix this zero-day vulnerability have been proposed by Microsoft yet. However, in the same blog post, Dirk-Jan Mollema communicates some mitigations that can be applied to protect the server from the attacks.

The proposed mitigations are:

  • Blocking exchange servers from establishing relations with other workstations
  • Eliminating the register key
  • Implementing SMB signing on Exchange servers
  • Removing unnecessary privileges from the Exchange domain object
  • Enabling Extended Protection for Authentication on the Exchange endpoints in IIS, excluding Exchange Back End ones because this would break Exchange).

Additionally, you can install one of these antivirus solutions for Microsoft Server 2013.

The PrivExchange attacks have been confirmed on the fully patched versions of Exchange and Windows servers Domain Controllers like Exchange 2013, 2016 and 2019.

RELATED POSTS TO CHECK OUT:

Discussions

Next up

Windows 10 19H2 Build 18362.10006 isn’t available for all Windows insiders

Vlad Turiceanu By: Vlad Turiceanu
2 minute read

Today Microsoft released a new Windows 10 19H2 build for a subset of lucky Windows insiders in the Slow ring. It’s not really new, because […]

Continue Reading

Latest Windows 10 updates can slow down your PC significantly

Vlad Turiceanu By: Vlad Turiceanu
2 minute read

Windows 10 May update packs a lot of changes. Some of them are visual, other are performance or security related. It’s already a known fact […]

Continue Reading

Intel Optane memory pinning error on Windows 10 [GET RID OF IT NOW]

Vlad Turiceanu By: Vlad Turiceanu
2 minute read

Intel Optane memory is a smart technology that keeps track of your frequently used apps, documents, pictures, and videos and remembers them after shutdown. This […]

Continue Reading