News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

Newsletter Archives

  • Do you still patch on premises Exchange servers?

    Posted on March 2nd, 2021 at 16:29 Comment on the AskWoody Lounge

    Do you still patch a Microsoft Exchange server in your network?  If you do, heads up. There is limited/targeted attacks  widespread attacks underway. Microsoft has released patches for it. While they say “Exchange online is not impacted”… my guess is that it’s already patched and/or mitigated for the issue.

    What’s interesting to me is that the attackers are coming FROM the United States. It’s like the SolarWinds attacks, they aren’t coming from outside the USA, but inside. Thus geo blocking no longer works to keep the bad guys out.

    https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

    https://krebsonsecurity.com/2021/03/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails/

    Note this is no longer “limited attacks”.  Many small businesses have been impacted as well.

     

  • Microsoft Exchange 0day exploit code published

    Posted on January 25th, 2019 at 14:33 Comment on the AskWoody Lounge

    According to Thomas Claburn at The Reg:

    Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin.

    Claburn goes on to reference Dirk-jan Mollema’s proof of concept post:

    This blog combines a few known vulnerabilities and known protocol weaknesses into a new attack. There are 3 components which are combined to escalate from any user with a mailbox to Domain Admin access:

    • Exchange Servers have (too) high privileges by default
    • NTLM authentication is vulnerable to relay attacks
    • Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server

    Here’s where it gets thick. Er. Mollema claims his method allows an “attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange.”

    Microsoft, however, has apparently weighed in on the elevation of privilege bug in CVE-2018-8581:

    To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.

    And there’s the rub. The headlines make it sound like anybody with an Exchange mailbox can become a Domain Admin. The Microsoft CVE report (which, I assume, relates to the same bug) says that a man-in-the-middle attack is necessary.

    Big difference.

    Anybody know the details?