CVE-ID : 2019-0686 Elevated Privileges Exploit

Technical findings: CVE-2019-0686

Relatable CVE-2019-0724

Affected Prdoucts:
Microsoft Exchange Server 2010 SP3 UR26
Microsoft Exchange Server 2013 CU22
Microsoft Exchange Server 2016 CU12
Microsoft Exchange Server 2019 CU1

Description:
-Microsoft Exchange Server is affected by a elevation of privilege vulnerabilities. An attacker who successfully exploits the vulnerability may impersonate any other user of the Exchange server.
-To exploit this vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.

The attack relies on two key components to be successful:

-Firstly, it relies on utilizing a man-in-the-middle attack against Exchange Server to perform an NTLM relay attack. In essence, this relies on an attacker intercepting the authentication process. This in itself isn’t an Exchange vulnerability, but as Exchange uses NTLM over various HTTP channels, it makes it susceptible to exploit.
NTLM :-NTLM is a challenge/response-based ol Microsoft authentication protocol, Using NTLM, users might provide their credentials to a bogus server.when a client authenticates to a server using NTLM, it cannot validate the identity of the server. This means that a malicious actor with man-in-the-middle capabilities could send the client fake/malicious data while impersonating the server.
https://blog.preempt.com/the-security-risks-of-ntlm-proceed-with-caution

-The second component of this vulnerability relates to the ability of an attacker to force Exchange to attempt to authenticate as the computer account. To do this, the attacker can use Exchange Web Services to force Exchange Server to make a new outbound HTTP call that uses NTLM to attempt to authenticate against an arbitrary URL via the EWS Push Subscription feature.

Instead of NTLM , kerberos protocol is preferred to avoid NTLM Relay attack

Conclusion of this vulnerability: This could allow the attacker to perform activities such as accessing the mailboxes of other users. Till far no active exploitation seen.

-Is this Exchange vulnerability exploitable from outside my network?
Active and successful exploitation is not seen so far, but yes its possible.
https://fortiguard.com/encyclopedia/ips/47473

-Can external scanning tools detect this vulnerability?
Personally I am not aware of any Exploit scanning tool, which can find current running exchange version number. But there are ways which can be leveraged to find the running Exchange server version number, if that’s the case then yes remote attackers can detect the vulnerabilty.
https://stackoverflow.com/questions/34387771/need-a-way-to-find-exchange-product-version-by-using-ews-web-service-soap/50682782
http://www.expta.com/2016/06/how-to-quickly-determine-exchange.html
If on-prem Exchange server of an organization is using MAPI over HTTP . you can use the following URL to check which version of Exchange is running on the server hosting your mailbox:
https:///mapi/emsmdb/
For Office 365 use https://outlook.office.com/mapi/emsmdb/
The bad thing about this method is that even works externally as long as Outlook Anywhere is published to the Internet
http://www.expta.com/2016/06/how-to-quickly-determine-exchange.html

Detailed References:
https://krebsonsecurity.com/2019/02/patch-tuesday-february-2019-edition/#more-46434
https://www.qualys.com/research/security-alerts/2019-02-12/microsoft/

Leave a Comment

Your e-mail address will not be published. Required fields are marked *