Microsoft recently acknowledged a vulnerability affecting its email and calendar service Exchange that could allow an attacker to gain significant control over particular organizations’ email servers and, as a consequence, their cloud environments.
The vulnerability,
Microsoft provided specific steps for mitigating the vulnerability, involving installing an update released in April and making a specific improvement to the security configuration of Exchange.
On Thursday, the Cybersecurity and Infrastructure Security Agency issued an emergency directive to federal agencies, indicating the disclosed vulnerability “poses grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations.”
The agency said in the directive that while “exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server,” the agency is “deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s Microsoft 365 Exchange Online environment.”
How the vulnerability works
The vulnerability is a form of privilege escalation. This means an attacker who already has some level of access (like a compromised, low-privilege user account) within an organization’s network could exploit the situation to gain higher-level permissions.
The core issue is that an attacker could abuse the permissions of a predictable, preinstalled credential to move from a low-privilege position to a high-privilege one.
Although the preinstalled credential was meant to enable certain low-risk functionalities — for example, allowing users to show colleagues whether they are free or busy at a certain time, based on events in their Microsoft calendar — it had a vulnerability that could enable a threat actor to impersonate any user in the organization.
An attack exploiting this vulnerability would go something like this:
First, gain a foothold. The attacker first compromises a regular user account within the organization, perhaps with a mass phishing attack that only one person would need to fall for.
Second, target the vulnerable credential by finding the service that uses it. This vulnerability involves Microsoft enabling hybrid Exchange users to set up a service that had the same identifier for all organizations, so an attacker would know exactly what to look for. The attacker could then analyze the permissions associated with that service, which by default were broader than strictly necessary.
Third, impersonate the service. The attacker could craft a malicious request, effectively pretending to be the hybrid service. They could abuse the trust relationship between Exchange on-premises and Exchange Online to request the vulnerable credential — an access token.
Fourth, escalate privileges. Using this token, the attacker could access data they weren’t authorized to see, such as reading other users’ emails or calendar information.
Steps to mitigate
Microsoft and CISA urged organizations, especially those in sensitive sectors like finance, to make specific reconfigurations to their hybrid Exchange setup to mitigate the vulnerability.
The first step is to install
Second, run the script to replace the insecure service (known as a shared service principle) with the more secure service (known as a dedicated Exchange hybrid application). Or, if the organization does not need features such as allowing Exchange users to see others’ profile pictures, simply remove the insecure service without replacing it.