A new vulnerability has been found in Microsoft Exchange Server 2013, 2016 and 2019. This new vulnerability is called PrivExchange and is actually a zero-day vulnerability.
Exploiting this security hole, an attacker can gain Domain Controller admin privileges using the credentials of an exchange mailbox user with the help of simple Python tool.
This new vulnerability was highlighted by a researcher Dirk-Jan Mollema on his personal blog a week ago. In his blog, he discloses important information about PrivExchange zero-day vulnerability.
He writes that this is not a single flaw whether comprises of 3 components which are combined to escalate the access of an attacker from any user with a mailbox to Domain Admin.
These three flaws are:
- Exchange Servers have (too) high privileges by default
- NTLM authentication is vulnerable to relay attacks
- Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server.
According to the researcher, the whole attack can be performed using the two tools named privexchange .py and ntlmrelayx. However, the same attack is still possible if an attacker lacks necessary user credentials.
In such circumstances, modified httpattack.py can be utilized with the ntlmrelayx to perform the attack from a network perspective without any credentials.
How to mitigate Microsoft Exchange Server vulnerabilities
No patches to fix this zero-day vulnerability have been proposed by Microsoft yet. However, in the same blog post, Dirk-Jan Mollema communicates some mitigations that can be applied to protect the server from the attacks.
The proposed mitigations are:
- Blocking exchange servers from establishing relations with other workstations
- Eliminating the register key
- Implementing SMB signing on Exchange servers
- Removing unnecessary privileges from the Exchange domain object
- Enabling Extended Protection for Authentication on the Exchange endpoints in IIS, excluding Exchange Back End ones because this would break Exchange).
Additionally, you can install one of these antivirus solutions for Microsoft Server 2013.
The PrivExchange attacks have been confirmed on the fully patched versions of Exchange and Windows servers Domain Controllers like Exchange 2013, 2016 and 2019.
RELATED POSTS TO CHECK OUT: