MS Exchange Server vulnerability gives hackers admin privileges

by Madalina Dinita
Madalina Dinita
Madalina Dinita
Windows & Software Expert
Madalina has been a Windows fan ever since she got her hands on her first Windows XP computer. She is interested in all things technology, especially emerging technologies... read more
Updated on
Affiliate Disclosure
microsoft Exchange Server vulnerability
XINSTALL BY CLICKING THE DOWNLOAD FILE
A message from our partner

To fix Windows PC system issues, you will need a dedicated tool

  • Download Fortect and install it on your PC
  • Start the tool's scanning process to look for corrupt files that are the source of your problem
  • Right-click on Start Repair so the tool could start the fixing algorythm
Download Now Fortect has been downloaded by 0 readers this month, rated 4.4 on TrustPilot

A new vulnerability has been found in Microsoft Exchange Server 2013, 2016 and 2019. This new vulnerability is called PrivExchange and is actually a zero-day vulnerability.

Exploiting this security hole, an attacker can gain Domain Controller admin privileges using the credentials of an exchange mailbox user with the help of simple Python tool.

This new vulnerability was highlighted by a researcher Dirk-Jan Mollema on his personal blog a week ago. In his blog, he discloses important information about PrivExchange zero-day vulnerability.

He writes that this is not a single flaw whether comprises of 3 components which are combined to escalate the access of an attacker from any user with a mailbox to Domain Admin.

These three flaws are:

  • Exchange Servers have (too) high privileges by default
  • NTLM authentication is vulnerable to relay attacks
  • Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server.

According to the researcher, the whole attack can be performed using the two tools named privexchange .py and ntlmrelayx. However, the same attack is still possible if an attacker lacks necessary user credentials.

In such circumstances, modified httpattack.py can be utilized with the ntlmrelayx to perform the attack from a network perspective without any credentials.

How to mitigate Microsoft Exchange Server vulnerabilities

No patches to fix this zero-day vulnerability have been proposed by Microsoft yet. However, in the same blog post, Dirk-Jan Mollema communicates some mitigations that can be applied to protect the server from the attacks.

The proposed mitigations are:

  • Blocking exchange servers from establishing relations with other workstations
  • Eliminating the register key
  • Implementing SMB signing on Exchange servers
  • Removing unnecessary privileges from the Exchange domain object
  • Enabling Extended Protection for Authentication on the Exchange endpoints in IIS, excluding Exchange Back End ones because this would break Exchange).

Additionally, you can install one of these antivirus solutions for Microsoft Server 2013.

The PrivExchange attacks have been confirmed on the fully patched versions of Exchange and Windows servers Domain Controllers like Exchange 2013, 2016 and 2019.

RELATED POSTS TO CHECK OUT:

This article covers:Topics: