According to Thomas Claburn at The Reg: Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user wi
[See the full post at: Microsoft Exchange 0day exploit code published]
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
Microsoft Exchange 0day exploit code published
- This topic has 15 replies, 8 voices, and was last updated 6 years, 3 months ago.
AuthorViewing 7 reply threadsAuthor-
-
I wonder if this could be related to the O365 outage in Europe? They were saying domain controllers were causing the outages.
Red Ruffnsore
1 user thanked author for this post.
-
My first thought as well, although we may never know.
Makes me very glad my last self-hosted Exchange server was retired last year. They were always very high maintenance (I supported pretty much every version from v.4.0 through v.2013 . . . )
Now that they are all on O365 or GMail all I have to worry about is whether/when they get compromised and my users impersonated.
Oh, wait . . .
:O
~ Group "Weekend" ~
-
-
Despite Microsoft’s CVE-2018-8581 saying “no mitigations or workarounds”, the FAQ has a single command to delete a registry value on the Exchange Server: “The vulnerability described by CVE-2018-8581 is unexploitable if the DisableLoopbackCheck registry value is removed.“, which is acknowledged by the exploit author in his list of seven alternative mitigations (and appears to be the only forthcoming fix anyway).
So the exploit seems tricky to implement and easy to prevent. Theoretical rather than practical? (Of course, potential escalation to Domain Admin should not be trivialized.)
2 users thanked author for this post.
-
-
When Microsoft first published the CVE 10 weeks ago, the original proof-of-concept involved a domain user being able to intercept any other user’s email:
Impersonating Users on Microsoft Exchange
This week’s Mollema article and new proof-of-concept extends beyond Exchange to gain Domain Admin rights, but deleting the same registry value is the fix for both aspects.
-
This is incorrect. Removing the registry key only prevents attackers from sending authentication back to the Exchange server (reflection attack), it does not prevent sending the authentication that Exchange performs to a Domain Controller (relay attack).
The other mitigations should be applied to prevent the relay attack from working.
A mitm position is not required to perform the attack.
-
Thanks for the correction. I thought I had understood the tangled web.
I now realize that Microsoft’s CVE-2018-8581 has not been updated since the Domain Controller attack was published.
And the PowerShell script fix to protect Domain Admin rights was confirmed yesterday by DHS/CERT:
VU#465632
-
-
-
-
-
I wonder if this could be related to the O365 outage in Europe? They were saying domain controllers were causing the outages.
I don’t think so – the office365.com Exchange Online outage seems to be a broken load balancing issue in Domain Controller (not a hack, see my today article)
The vulnerability CVE-2018-8581 has been known since Nov. 2018 – see my blog post
https://borncity.com/win/2018/11/20/vulnerability-in-exchange-server-2010-2019/
The only thing that’s new is the fact, that a Proof of Concept is now public.
Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author
https://www.borncity.com/win/
1 user thanked author for this post.
-
-
Forgive my ignorance, but does this effect Outlook?
Not really, although Outlook Web Access is used as part of the published mailbox hijacking attack.
If your Outlook connects to a company or school Exchange server, it’s for an Exchange Admin to fix, patch or check registry settings; as in that case your emails could theoretically get diverted to someone else’s mailbox.
2 users thanked author for this post.
-
-
-
-
U.S. Department of Homeland Security issued a vulnerability notification;
CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attackswhich links to CERT Coordination Center (CERT/CC) Vulnerability Note VU#465632;
Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attackswhich provides a concise description of the issue and workarounds for Exchange Server or Domain Controller, along with;
Impact
An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user’s password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.
1 user thanked author for this post.
-
New mitigations and workarounds:
ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability
Security Advisory
Published: 02/05/2019A planned update is in development.
3 users thanked author for this post.
Viewing 7 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Microsoft Edge Launching Automatically?
by 6 minutes ago
-
Google Chrome to block admin-level browser launches for better security
by 47 minutes ago
-
iPhone SE2 Stolen Device Protection
by 1 hour, 30 minutes ago
-
Some advice for managing my wireless internet gateway
by 15 minutes ago
-
NO POWER IN KEYBOARD OR MOUSE
by 2 hours, 25 minutes ago
-
A CVE-MITRE-CISA-CNA Extravaganza
by 10 hours, 17 minutes ago
-
Sometimes I wonder about these bots
by 6 hours, 34 minutes ago
-
Does windows update component store “self heal”?
by 23 hours, 14 minutes ago
-
Windows 11 Insider Preview build 27858 released to Canary
by 1 day ago
-
Pwn2Own Berlin 2025: Day One Results
by 23 hours, 39 minutes ago
-
Windows 10 might repeatedly display the BitLocker recovery screen at startup
by 20 hours, 9 minutes ago
-
Windows 11 Insider Preview Build 22631.5409 (23H2) released to Release Preview
by 1 day, 2 hours ago
-
Windows 10 Build 19045.5912 (22H2) to Release Preview Channel
by 1 day, 2 hours ago
-
Kevin Beaumont on Microsoft Recall
by 15 hours, 31 minutes ago
-
The Surface Laptop Studio 2 is no longer being manufactured
by 1 day, 11 hours ago
-
0Patch, where to begin
by 1 day, 5 hours ago
-
CFPB Quietly Kills Rule to Shield Americans From Data Brokers
by 2 days ago
-
89 million Steam account details just got leaked,
by 1 day, 12 hours ago
-
KB5058405: Linux – Windows dual boot SBAT bug, resolved with May 2025 update
by 2 days, 9 hours ago
-
A Validation (were one needed) of Prudent Patching
by 2 days ago
-
Master Patch Listing for May 13, 2025
by 1 day, 11 hours ago
-
Installer program can’t read my registry
by 4 hours, 9 minutes ago
-
How to keep Outlook (new) in off position for Windows 11
by 1 day, 22 hours ago
-
Intel : CVE-2024-45332, CVE-2024-43420, CVE-2025-20623
by 2 days, 5 hours ago
-
False error message from eMClient
by 2 days, 20 hours ago
-
Awoke to a rebooted Mac (crashed?)
by 3 days, 5 hours ago
-
Office 2021 Perpetual for Mac
by 3 days, 6 hours ago
-
AutoSave is for Microsoft, not for you
by 4 hours, 15 minutes ago
-
Difface : Reconstruction of 3D Human Facial Images from DNA Sequence
by 3 days, 10 hours ago
-
Seven things we learned from WhatsApp vs. NSO Group spyware lawsuit
by 17 hours, 37 minutes ago
Remembering Woody
