![]() |
MS-DEFCON 4:
There are isolated problems with current patches, but they are well-known and documented on this site.
|
-
Microsoft Exchange 0day exploit code published
Home › Forums › AskWoody blog › Microsoft Exchange 0day exploit code published
Tagged: CVE-2018-8581, Exchange 0day
- This topic has 15 replies, 8 voices, and was last updated 2 years ago.
Viewing 8 reply threads-
AuthorPosts
-
-
January 25, 2019 at 2:33 pm #316600
woody
ManagerAccording to Thomas Claburn at The Reg: Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user wi
[See the full post at: Microsoft Exchange 0day exploit code published] -
January 25, 2019 at 2:56 pm #316604
-
January 25, 2019 at 3:02 pm #316607
Mr. Natural
AskWoody Plus-
January 25, 2019 at 3:40 pm #316612
NetDef
AskWoody_MVPMy first thought as well, although we may never know.
Makes me very glad my last self-hosted Exchange server was retired last year. They were always very high maintenance (I supported pretty much every version from v.4.0 through v.2013 . . . )
Now that they are all on O365 or GMail all I have to worry about is whether/when they get compromised and my users impersonated.
Oh, wait . . .
:O
~ Group "Weekend" ~
-
-
January 25, 2019 at 6:14 pm #316636
b
AskWoody MVPDespite Microsoft’s CVE-2018-8581 saying “no mitigations or workarounds”, the FAQ has a single command to delete a registry value on the Exchange Server: “The vulnerability described by CVE-2018-8581 is unexploitable if the DisableLoopbackCheck registry value is removed.“, which is acknowledged by the exploit author in his list of seven alternative mitigations (and appears to be the only forthcoming fix anyway).
So the exploit seems tricky to implement and easy to prevent. Theoretical rather than practical? (Of course, potential escalation to Domain Admin should not be trivialized.)
2 users thanked author for this post.
-
January 25, 2019 at 9:57 pm #316685
woody
Manager-
January 26, 2019 at 10:33 am #316770
b
AskWoody MVPWhen Microsoft first published the CVE 10 weeks ago, the original proof-of-concept involved a domain user being able to intercept any other user’s email:
Impersonating Users on Microsoft Exchange
This week’s Mollema article and new proof-of-concept extends beyond Exchange to gain Domain Admin rights, but deleting the same registry value is the fix for both aspects.
-
January 29, 2019 at 4:05 am #317758
anonymous
GuestThis is incorrect. Removing the registry key only prevents attackers from sending authentication back to the Exchange server (reflection attack), it does not prevent sending the authentication that Exchange performs to a Domain Controller (relay attack).
The other mitigations should be applied to prevent the relay attack from working.
A mitm position is not required to perform the attack.
-
January 29, 2019 at 7:01 am #317837
b
AskWoody MVPThanks for the correction. I thought I had understood the tangled web.
I now realize that Microsoft’s CVE-2018-8581 has not been updated since the Domain Controller attack was published.
And the PowerShell script fix to protect Domain Admin rights was confirmed yesterday by DHS/CERT:
VU#465632
-
-
-
-
-
January 26, 2019 at 11:59 am #316788
gborn
AskWoody_MVPI wonder if this could be related to the O365 outage in Europe? They were saying domain controllers were causing the outages.
I don’t think so – the office365.com Exchange Online outage seems to be a broken load balancing issue in Domain Controller (not a hack, see my today article)
The vulnerability CVE-2018-8581 has been known since Nov. 2018 – see my blog post
https://borncity.com/win/2018/11/20/vulnerability-in-exchange-server-2010-2019/
The only thing that’s new is the fact, that a Proof of Concept is now public.
Microsoft Windows Insider MVP, Microsoft Answers Community Moderator, Blogger, Book author
https://www.borncity.com/win/
1 user thanked author for this post.
-
January 27, 2019 at 10:51 am #316986
-
January 27, 2019 at 12:32 pm #317008
b
AskWoody MVPForgive my ignorance, but does this effect Outlook?
Not really, although Outlook Web Access is used as part of the published mailbox hijacking attack.
If your Outlook connects to a company or school Exchange server, it’s for an Exchange Admin to fix, patch or check registry settings; as in that case your emails could theoretically get diverted to someone else’s mailbox.
2 users thanked author for this post.
-
-
January 28, 2019 at 4:34 am #317175
Aviel
AskWoody Plus-
January 28, 2019 at 8:19 am #317255
Mr. Natural
AskWoody Plus
-
-
January 28, 2019 at 11:55 pm #317734
b
AskWoody MVPU.S. Department of Homeland Security issued a vulnerability notification;
CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attackswhich links to CERT Coordination Center (CERT/CC) Vulnerability Note VU#465632;
Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attackswhich provides a concise description of the issue and workarounds for Exchange Server or Domain Controller, along with;
Impact
An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user’s password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.
1 user thanked author for this post.
-
February 5, 2019 at 10:44 pm #321983
b
AskWoody MVPNew mitigations and workarounds:
ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability
Security Advisory
Published: 02/05/2019A planned update is in development.
3 users thanked author for this post.
-
-
AuthorPosts
Viewing 8 reply threads -
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search Newsletters
Search Forums
Recent Replies
Alex5723 on Linux Mint developers call Users to update their systems
Just nowdoriel on Backing up my computer
1 minute agoOscarCP on Amazon’s new ‘same-day nodes’ will displace postal deliveries
2 minutes agodoriel on Surface Driver won’t Download
13 minutes agoZig on Temporarily putting the site in maintenance mode
1 hour, 13 minutes agoZig on Temporarily putting the site in maintenance mode
1 hour, 13 minutes agoanonymous on MS-DEFCON 4: Install the February updates, skip that Secure boot
1 hour, 15 minutes agoOscarCP on Aren't these the greatest performances of classical music?
1 hour, 51 minutes agoAscaris on Tasks for the weekend – February 27, 2021 Check your DNS
1 hour, 52 minutes agoanonymous on Tasks for the weekend – February 27, 2021 Check your DNS
1 hour, 52 minutes agoAscaris on Tasks for the weekend – February 27, 2021 Check your DNS
1 hour, 55 minutes agobrian1248 on Are Strong Passwords Necessary?
1 hour, 58 minutes agoClearThunder on Firefox and Firefox ESR Updates!
2 hours, 47 minutes agoClearThunder on Looking for graphic equalizer for Windows 10
2 hours, 53 minutes agoE Pericoloso Sporgersi on Temporarily putting the site in maintenance mode
3 hours, 2 minutes agokrism on Tasks for the weekend – February 27, 2021 Check your DNS
3 hours, 16 minutes agoE Pericoloso Sporgersi on Tasks for the weekend – February 27, 2021 Check your DNS
3 hours, 20 minutes agoabbodi86 on Temporarily putting the site in maintenance mode
4 hours, 33 minutes agoabbodi86 on Feb 2021 patches so far
4 hours, 33 minutes agoWCHS on Tasks for the weekend – February 20, 2021 – it’s Squirrel away time
4 hours, 45 minutes agoanonymous on Firefox and Firefox ESR Updates!
5 hours, 2 minutes agokrism on Tasks for the weekend – February 27, 2021 Check your DNS
5 hours, 7 minutes agoPKCano on Tasks for the weekend – February 20, 2021 – it’s Squirrel away time
5 hours, 7 minutes agoSnoopdon on Looking for graphic equalizer for Windows 10
5 hours, 13 minutes agoWCHS on Tasks for the weekend – February 20, 2021 – it’s Squirrel away time
5 hours, 40 minutes agoThe Surfing Pensioner on MS-DEFCON 4: Install the February updates, skip that Secure boot
6 hours, 9 minutes agoGeo on Firefox and Firefox ESR Updates!
6 hours, 18 minutes agoMHCLV941 on Amazon’s new ‘same-day nodes’ will displace postal deliveries
6 hours, 33 minutes agoanonymous on Standalone installer script for Windows 7 ESU, regardless the license
6 hours, 35 minutes agorebop2020 on Unable to update Win10 v1909 since Build 18363.657
6 hours, 36 minutes ago
Recent Topics
-
“Stuttering” glitch on a brand-new PC
12 minutes ago
-
Here’s looking at you, kid: the child-cam scam
15 minutes ago
-
The best things in life are copyrighted
16 minutes ago
-
Using Microsoft OneDrive on your Android device
18 minutes ago
-
MS-DEFCON 4 – February updates trigger few issues
21 minutes ago
-
ESET NOD32 and Windows 7
2 hours, 20 minutes ago
-
Google Chrome
8 hours, 54 minutes ago
-
Temporarily putting the site in maintenance mode
1 hour, 13 minutes ago
-
KB4535680
14 hours, 24 minutes ago
-
Are Strong Passwords Necessary?
1 hour, 58 minutes ago
-
LastPass Android : 7 3rd party trackers
7 hours, 6 minutes ago
-
Firefox 86 brings “Total Cookie Protection”
14 hours, 44 minutes ago
-
Startup Impact Not Measured
15 hours ago
-
Tasks for the weekend – February 27, 2021 Check your DNS
1 hour, 52 minutes ago
-
MS-DEFCON 4: Install the February updates, skip that Secure boot
1 hour, 15 minutes ago
-
How to make text darker
16 hours ago
-
Turn off Bing in your start menu
1 day, 6 hours ago
-
“Recent Replies”
1 day, 15 hours ago
-
Framework DIY Laptop
2 days, 6 hours ago
-
HDD as SSD and SSD as HDD
3 days, 11 hours ago
-
Displaylink not working in Win 2004
2 days, 4 hours ago
-
Surface Driver won’t Download
13 minutes ago
-
Try to fix one thing, break another
2 days, 1 hour ago
-
Outlook print format different for contact phonebook between Outlook 2013/2016
3 days, 13 hours ago
-
Styles.Visibility
4 days, 8 hours ago
-
Windows 10 Insider Preview build 21322 released to DEV Channel
3 days, 10 hours ago
-
Medical ID on iPhone… WTH Apple?
2 days, 12 hours ago
-
Is IT Skill Set Sustainable?
3 days, 20 hours ago
-
Large Norton Update
4 days, 8 hours ago
-
Transparent content in dragged window
4 days, 11 hours ago
Search for Topics
Recent blog posts
- “Stuttering” glitch on a brand-new PC
- Here’s looking at you, kid: the child-cam scam
- The best things in life are copyrighted
- Using Microsoft OneDrive on your Android device
- MS-DEFCON 4 – February updates trigger few issues
- Temporarily putting the site in maintenance mode
- Tasks for the weekend – February 27, 2021 Check your DNS
- MS-DEFCON 4: Install the February updates, skip that Secure boot
Key Links
M | T | W | T | F | S | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
Copyright © 2004 – 2021 AskWoody Tech LLC. All rights reserved.