MS Exchange Server vulnerability gives hackers admin privileges

Irfa Batool avatar. By: Irfa Batool
2 minute read
microsoft Exchange Server vulnerability

Home » News » MS Exchange Server vulnerability gives hackers admin privileges

A new vulnerability has been found in Microsoft Exchange Server 2013, 2016 and 2019. This new vulnerability is called PrivExchange and is actually a zero-day vulnerability.

Exploiting this security hole, an attacker can gain Domain Controller admin privileges using the credentials of an exchange mailbox user with the help of simple Python tool.

This new vulnerability was highlighted by a researcher Dirk-Jan Mollema on his personal blog a week ago. In his blog, he discloses important information about PrivExchange zero-day vulnerability.

He writes that this is not a single flaw whether comprises of 3 components which are combined to escalate the access of an attacker from any user with a mailbox to Domain Admin.

These three flaws are:

  • Exchange Servers have (too) high privileges by default
  • NTLM authentication is vulnerable to relay attacks
  • Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server.

According to the researcher, the whole attack can be performed using the two tools named privexchange .py and ntlmrelayx. However, the same attack is still possible if an attacker lacks necessary user credentials.

In such circumstances, modified httpattack.py can be utilized with the ntlmrelayx to perform the attack from a network perspective without any credentials.

How to mitigate Microsoft Exchange Server vulnerabilities

No patches to fix this zero-day vulnerability have been proposed by Microsoft yet. However, in the same blog post, Dirk-Jan Mollema communicates some mitigations that can be applied to protect the server from the attacks.

The proposed mitigations are:

  • Blocking exchange servers from establishing relations with other workstations
  • Eliminating the register key
  • Implementing SMB signing on Exchange servers
  • Removing unnecessary privileges from the Exchange domain object
  • Enabling Extended Protection for Authentication on the Exchange endpoints in IIS, excluding Exchange Back End ones because this would break Exchange).

Additionally, you can install one of these antivirus solutions for Microsoft Server 2013.

The PrivExchange attacks have been confirmed on the fully patched versions of Exchange and Windows servers Domain Controllers like Exchange 2013, 2016 and 2019.

RELATED POSTS TO CHECK OUT:

Discussions

Next up

Top 4 software to recover lost email account passwords

Tashreef Shareef avatar. By: Tashreef Shareef
Less than a 1 minute read

Whether you use web-based email services or desktop email clients to manage your account, emails are used for business and personal communication by almost everyone. […]

Continue Reading

Here is what to do when Google Docs won’t print

John Waibochi avatar. By: John Waibochi
6 minute read

While Google Docs remains a super powerful real-time document authoring and collaboration software, it on occasion has issues. For instance, the complain that Google docs won’t […]

Continue Reading

How to fix “Acrobat failed to connect to a DDE server” errors

Matthew Adams By: Matthew Adams
3 minute read

The Adobe Acrobat PDF (Portable Document Format) software throws out an “Acrobat failed to connect to a DDE server” error message for some users. That […]

Continue Reading