MS Exchange Server vulnerability gives hackers admin privileges

2 minute read
microsoft Exchange Server vulnerability

Home » News » MS Exchange Server vulnerability gives hackers admin privileges

A new vulnerability has been found in Microsoft Exchange Server 2013, 2016 and 2019. This new vulnerability is called PrivExchange and is actually a zero-day vulnerability.

Exploiting this security hole, an attacker can gain Domain Controller admin privileges using the credentials of an exchange mailbox user with the help of simple Python tool.

This new vulnerability was highlighted by a researcher Dirk-Jan Mollema on his personal blog a week ago. In his blog, he discloses important information about PrivExchange zero-day vulnerability.

He writes that this is not a single flaw whether comprises of 3 components which are combined to escalate the access of an attacker from any user with a mailbox to Domain Admin.

These three flaws are:

  • Exchange Servers have (too) high privileges by default
  • NTLM authentication is vulnerable to relay attacks
  • Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server.

According to the researcher, the whole attack can be performed using the two tools named privexchange .py and ntlmrelayx. However, the same attack is still possible if an attacker lacks necessary user credentials.

In such circumstances, modified httpattack.py can be utilized with the ntlmrelayx to perform the attack from a network perspective without any credentials.

How to mitigate Microsoft Exchange Server vulnerabilities

No patches to fix this zero-day vulnerability have been proposed by Microsoft yet. However, in the same blog post, Dirk-Jan Mollema communicates some mitigations that can be applied to protect the server from the attacks.

The proposed mitigations are:

  • Blocking exchange servers from establishing relations with other workstations
  • Eliminating the register key
  • Implementing SMB signing on Exchange servers
  • Removing unnecessary privileges from the Exchange domain object
  • Enabling Extended Protection for Authentication on the Exchange endpoints in IIS, excluding Exchange Back End ones because this would break Exchange).

Additionally, you can install one of these antivirus solutions for Microsoft Server 2013.

The PrivExchange attacks have been confirmed on the fully patched versions of Exchange and Windows servers Domain Controllers like Exchange 2013, 2016 and 2019.

RELATED POSTS TO CHECK OUT:

Discussions

Next up

Gears 5 players want more characters in the game

John Taylor avatar. By: John Taylor
2 minute read

Gears 5 is the latest installment in the Gears of War series and has taken the gaming community by storm. Unfortunately, it had a rough […]

Continue Reading

Revolut login not working? Try these methods

Tashreef Shareef avatar. By: Tashreef Shareef
3 minute read

Revolut is a popular banking app offering financial services for smartphone users with features like a pre-paid debit card, currency exchange, peer-to-peer payment, and more. […]

Continue Reading

Do this if you experience Borderlands 3 FPS drops

John Taylor avatar. By: John Taylor
3 minute read

Borderlands 3 is an action role-playing first-person shooter video game that is currently at its 4th installment. Like any sequel, it is far superior to […]

Continue Reading