Microsoft Issues Yet Another Exchange Server Security Advisory
Microsoft on Monday issued Security Advisory ADV190007 concerning an elevation-of-privilege vulnerability that's present in most Exchange Server versions.
It's maybe the second such advisory this month on such a flaw. The vulnerability can enable the impersonation of users on an Exchange Server network. Carrying out the exploit requires executing a "man-in-the-middle attack," which is used to "forward an authentication request to a Microsoft Exchange Server," the advisory explained. Versions of Exchange Server 2010, Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 were all listed as potentially affected, but the severity ratings weren't described.
Microsoft's advisory indicated that "a planned update is in development" for this vulnerability, without specifying an arrival date. In the meantime, organizations subject to the vulnerability can implement a workaround, as described in the advisory. The workaround consists of making an organizationwide policy change to block the creation of Exchange Web Services subscriptions, but it's also possible to "whitelist" certain trusted users.
Same Problem, Different Advisory?
This week's advisory seems similar to last week's updated CVE-2018-8581 advisory on an Exchange Server elevation-of-privilege vulnerability that got highlighted in a US-CERT advisory. US-CERT described it back then as an NT LAN Manager (NTLM) relay attack, which was sourced to research conducted by Dirk-jan Mollema, which in turn was based on Trend Micro's Zero Day Initiative findings. Regarding CVE-2018-8581, US-CERT had recommended disabling Exchange Web Services push/pull subscriptions, but noted at that time that it wasn't an approach supported by Microsoft.
It's not clear if the two advisories are related or describing the same vulnerability. In response to a query, a Microsoft spokesperson said the company had nothing to share.
"It's possibly an exploitation vector that's new," speculated Ajit Sancheti, CEO at Preempt Security, a San Francisco-based threat prevention solution provider, in a Thursday phone call regarding ADV190007.
"The original one used a reflection attack, meaning it performed an NTLM relay to reflect the credentials back to the Exchange Server and they found a fix for that," explained Marina Simakov, a security researcher at Preempt. "However, they found another usage for that so they don't have to relay the credentials to the Exchange Server itself. They can relay the credentials to any other server. And if you don't have the correct mediation for NTLM relay, you can get privileged escalation."
All Signs Point to NTLM
The problems center on the use of Microsoft's old NTLM authentication protocol, a technology that dates back to the early 1990s. NTLM hasn't been the default for Windows systems "for more than 17 years," but "it is still very much in use," explained Yaron Zinar, a senior security researcher at Preempt, in a Preempt blog post.
That post is one of his many useful discussions on the security risks of NTLM. More recently, Zinar described what to do in response to the US-CERT warning in this blog post.
Microsoft still supports NTLM, but recommends using Kerberos instead. Microsoft lists documents on how to restrict the use of NTLM at this page. Another possible security approach is to use Active Directory Split Permissions with Exchange, as described in this Microsoft document. The idea of splitting permissions is to get away from the default capability in Exchange Server of being able to authenticate on both Exchange and Active Directory, which is known as the "shared permissions model."
Microsoft's ADV190007 advisory noted that "systems that have disabled NTLM are not affected" by this vulnerability. However, "you cannot disable NTLM entirely," Simakov suggested.
"The best situation would be to obviously disable NTLM since the vulnerability is in the program itself," she added. "If the user is authenticating using NTLM, you can relay the credentials and access another server if you don't have the proper mitigations in place. And most organizations, unfortunately, don't have those mitigations."
The mitigations might include things like SMB signing, LDAP signing and LDAPS channel binding, and other measures. The free Preempt Inspector tool can be used to see how vulnerable an organization is to NTLM relay attacks.
"But the biggest problem is that every organization has some system that would not work if you disable NTLM entirely," Simakov said. "NTLM, I think, will be here for a long time, but you need to get the proper mitigation in place in order to protect your environment from NTLM relay," she added.
Microsoft's advisory had suggested that its workaround of throttling Exchange Web Services could affect the functioning of various applications, such as Outlook for Mac and Skype for Business, as well as some iOS native e-mail clients and certain line-of-business apps.
It may not be possible to disable NTLM, so organizations may need to take other steps.
"It is obviously turning out to be an architectural issue, but it's also got the legacy challenges of, 'If you want to be able operate, you've got to be able to do that,'" Sancheti said. He added that organizations can use the Preempt platform to gain visibility on NTLM behavior in a network, and then IT pros can use that information get control over it.
It's a systemic issue. There are a many ways to get someone with high privileges to perform NTLM authentication to an attacker, Simakov explained. Once that happens, it's possible for the attacker to execute an NTLM relay attack and do anything to an environment. She added that having a man in the middle, as suggested by Microsoft, isn't a prerequisite.
"The biggest problem is that you don't need to have an actual man in the middle," she said. "You don't need to perform any manipulations on the network configuration. You can get Exchange to authenticate to you. You can get that to happen by a simple call. Once you do that, you already have the man in the middle."
The problem lies with the push subscription feature in Exchange Server, whenever that was added, she explained. She also blamed the NTLM protocol, plus legacy account permissions that aren't needed.
"NTLM relay would not work if the account that was performing the authentication didn't have high privileges to begin with," Simakov said. "Because you only get the permissions that the account that is authenticating to you has, so you want to make sure you have the least permissions that you need."
NTLM, though, isn't likely going away.
"NTLM is going to exist for a while," Sancheti said. "And these vectors of threats -- today it's Exchange; tomorrow, it could be something else -- these vectors are going to be there. For enterprises, the best thing to do is to figure out where does it exist, and if that behavior is changed then at least they have an opportunity to get the visibility and control."
Preempt specializes in a solution that helps organizations with responding to threats in real time, he added. The Preempt platform, in this case, can enable multifactor authentication, which can be used as an added protection against this vulnerability, Sancheti explained.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.