ADV190007 | Guidance for PrivExchange Elevation of Privilege Vulnerability

Aside

Posted on by

Exchange on-prem only
Security Advisory
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
A planned update is in development. If you determine that your system is at high risk then you should evaluate the proposed workaround.
After installing the update you can undo the above action with this command:
New-ThrottlingPolicy AllUsersEWSSubscriptionBlockPolicy

Guidance for “PrivExchange” Elevation of Privilege Vulnerability
 

for more about ThrottlingPolicy

ThrottlingPolicy

How to

Run the following command to create throttling policy

New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0

Then create white list for adding user who had a problem in EWS subscription

New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000

Assign users to the white list policy

Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions

 

From <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>

Please read well

  • The issue described in the Blog post: Abusing Exchange: One API call away from Domain Admin only affects OnPrem deployments. Exchange Online is not affected.
  • The attack scenario described in the blog referenced above requires NTLM. Systems that have disabled NTLM are not affected.
  • ttackers cannot compromise a Domain Admin account if an OnPrem deployment follows Microsoft’s security best practice guidance and has implemented Active Directory Split Permissions. For more information on using Active Directory Split Permissions with Exchange, see Understanding split permissions: Exchange 2013 Help.
     
     
    Note:
    This document refers to Exchange Server 2013, but the same model can be used for later versions of Exchange Server.

     

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>

    Note:

    about this EWS Subscription throttling workaround:

    A customer’s risk assessment must weigh the protections gained by the workaround as compared to the possible unwanted side effects of the workaround. The following are possible side effects of the EWS Subscription throttling policy:

    This workaround may be disruptive to Outlook for Mac, Skype for Business Client, and Apple Mail Clients, causing them to not function properly. Importantly, the throttling policy won’t block Autodiscover and Free/Busy requests. The EWS throttling policy will also negatively impact LOB and other third-party Applications that require EWS Notifications. A second policy can be created to whitelist trusted accounts.

     

    From <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>

     

     

     

     

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.