Advisory November 6, 2023

Microsoft Exchange Zero-Day Vulnerabilities

Microsoft Exchange Zero-Day Vulnerabilities (ZDI-23-1578, ZDI-23-1579, ZDI-23-1580, ZDI-23-1581)

Overview

Multiple zero-day vulnerabilities in Microsoft Exchange have been disclosed by Trend Micro’s Zero Day Initiative (ZDI). These vulnerabilities can be exploited remotely to execute arbitrary code or disclose sensitive information on affected installations. Despite being reported to Microsoft on September 7th and 8th, 2023, the company has not yet released patches, leading to a decision by ZDI to publicly disclose the vulnerabilities. This advisory provides details on the vulnerabilities and offers recommendations for mitigating the associated risks.

Vulnerabilities

  1. ZDI-23-1578 – Microsoft Exchange ChainedSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability:
    • Allows remote attackers to execute arbitrary code.
    • Requires authentication for exploitation.
    • Exploits a lack of proper validation of user-supplied data, leading to deserialization of untrusted data.
    • Successful exploitation results in code execution in the context of the SYSTEM.
  2. ZDI-23-1579 – Microsoft Exchange DownloadDataFromUri Server-Side Request Forgery Information Disclosure Vulnerability:
    • Allows remote attackers to disclose sensitive information.
    • Requires authentication for exploitation.
    • Results from insufficient validation of a URI before accessing resources.
    • Attackers can exploit this vulnerability to access sensitive information on Exchange servers.
  3. ZDI-23-1580 – Microsoft Exchange DownloadDataFromOfficeMarketPlace Server-Side Request Forgery Information Disclosure Vulnerability:
    • Allows remote attackers to disclose sensitive information.
    • Requires authentication for exploitation.
    • Arises from the lack of proper validation of a URI before accessing resources.
    • Attackers can exploit this vulnerability to access sensitive information on Exchange servers.
  4. ZDI-23-1581 – Microsoft Exchange CreateAttachmentFromUri Server-Side Request Forgery Information Disclosure Vulnerability:
    • Allows remote attackers to disclose sensitive information.
    • Requires authentication for exploitation.
    • Results from inadequate validation of a URI before accessing resources.
    • Attackers can exploit this vulnerability to access sensitive information on Exchange servers.

Risk Assessment

  • These vulnerabilities are not considered critical, but they have a CVSS rating between 7.1 and 7.5.
  • Authentication is required for exploitation, reducing the overall risk.
  • Cybercriminals may use various methods to obtain Exchange credentials (i.e., by brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs), increasing the importance of addressing these vulnerabilities.

Mitigation

To mitigate the risks associated with these zero-day vulnerabilities, consider the following measures:

  1. Multi-Factor Authentication (MFA): Implement MFA to enhance security. Even if an attacker gains access to Exchange credentials, MFA can provide an additional layer of protection.
  2. Restricted Interaction with Exchange Apps: Although disruptive, restricting interactions with Exchange apps can reduce exposure to these vulnerabilities. Evaluate the impact on your organization and consider this option if feasible.

Microsoft’s Response

Microsoft has acknowledged the reported vulnerabilities and reviewed their severity. They have either addressed some of the vulnerabilities in recent security updates or found that they do not meet the criteria for immediate servicing according to their severity classification guidelines. Specifically, they responded the following:

  • Regarding ZDI-23-1578: Customers who have applied the August Security Updates are already protected.
  • Regarding ZDI-23-1581: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege.
  • Regarding ZDI-23-1579: The technique described requires an attacker to have prior access to email credentials.
  • Regarding ZDI-23-1580: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information.

Microsoft has committed to evaluating these vulnerabilities for future product versions and updates as appropriate.

References

https://securityaffairs.com/153599/hacking/microsoft-exchange-zero-day-flaws.html?web_view=true

https://www.zerodayinitiative.com/advisories/ZDI-23-1578/

https://www.zerodayinitiative.com/advisories/ZDI-23-1579/

https://www.zerodayinitiative.com/advisories/ZDI-23-1580/

https://www.zerodayinitiative.com/advisories/ZDI-23-1581/

Start Now