Exchange Security Hole, Delayed Updates and Basic Authentication End Date Announced

This week brings Exchange Online news regarding Basic Authentication, plus a September cumulative update delay for Exchange Server.

If that weren't enough, there's a major security hole discovered in Exchange Server regarding its use of the Autodiscover client configuration component. This Autodiscover issue is said by Guardicore Labs researchers to have spilled tens of thousands of Windows domain credentials.

Basic Authentication Ending Oct. 1, 2022
Basic Authentication in Exchange Online and other services will end on Oct. 1, 2022, the Exchange team announced on Thursday.

In June, Microsoft had said it would just turn off Basic Authentication for Exchange Online when it perceived it wasn't in use by organizations, and it offered a "reenablement tool" for the organizations that were still clinging to it. The announcement this week, though, made it clear that Basic Authentication is ending, forever, "regardless of usage."

"We are not providing the ability to use Basic Auth after October 2022," the announcement explained in its FAQ section. "You should ensure your dependency on Basic Auth in Exchange Online has been removed by that time."

A sort of dry run of this Basic Authentication turnoff is planned for "early 2022," when Microsoft is planning to "selectively pick tenants and disable Basic Auth for all affected protocols except SMTP AUTH for a period of 12-48 hours." Even though Basic Authentication will get restored after this time period, there still will be a hard stop for it on Oct. 1, 2022.

There is a way to request a "limited opt out" in the interim using the Microsoft 365 Admin Center, but Basic Authentication is still coming to an end.

Basic Authentication is the use of a simple user name and password to authenticate with a service, such Exchange Online. It's a potentially insecure approach that's still used with older client applications. The problem with Basic Authentication is that it's subject to password spray attacks, which is the trying of commonly used passwords across an organization to gain a foothold.

Microsoft wants organizations to switch to client applications that leverage so-called "modern authentication," and use multifactor authentication (a secondary means of verifying user credentials beyond a password).

September Exchange Server Cumulative Updates Delayed
In other news regarding Exchange Server, Microsoft noted last week that cumulative updates (CUs) for Exchange Server products would get delayed.

Exchange Server CUs typically arrive on the "third Tuesday of a month." Sept. 21 would have been the CU distribution date for Exchange Server, but Microsoft is pushing out the release date to Sept. 28.

The delay is being done to improve the quality of the CUs, the announcement indicated. It's also being done to distribute "a new security-related feature," which wasn't explained, but it will get explained in "an upcoming blog post," Microsoft promised.

Regarding Exchange Server patch quality, Rhoderick Milne, a principal customer engineer at Microsoft, noted in a recent blog post that Microsoft fell short with its March patches for issues associated with "Hafnium" attacks, dubbed "ProxyLogon." He also described Microsoft shortcomings with its July Exchange Server patches.

"There were multiple issues to resolve in the July 2021 Exchange security updates," Milne wrote. "In this case the AD DS schema was not updated as the latest CU was not installed onto the server."

Exchange Server, Autodiscover and Leaked Windows Domain Credentials
Meanwhile, the Guardicore Labs team recently reported gaining access to "tens of thousands" of Windows domain credentials through a flaw in Autodiscover, which is used to make it easier for end users to logon to Exchange Server accounts via an automatic configuration process for client applications.

Given these Windows domain credentials, it's possible for an attacker to "capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire." An attacker can then use DNS poisoning to siphon "leaky passwords," Guardicore Labs added.

Security protections can even be downgraded to Basic Authentication, Guardicore Labs indicated.

"Additionally, we have developed an attack -- 'The ol' switcheroo' -- which downgrades a client's authentication scheme from a secure one (OAuth, NTLM) to HTTP Basic Authentication where credentials are sent in clear text," the researchers indicated.

Guardicore didn't describe Microsoft's reaction to the Exchange Server Autodiscover flaw, but it offered some "mitigation tips. The general public should make sure they are blocking domains used by Autodiscover at the firewall. IT pros should disable Basic Authentication when deploying or configuring Exchange. Software vendors should not let Autodiscover "fail upwards."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube