8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.076 Low
EPSS
Percentile
94.1%
Microsoft Exchange 2013 and newer fail to set signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange server.
Microsoft Exchange supports a API called Exchange Web Services (EWS). One of the EWS API functions is called PushSubscriptionRequest, which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscriptionRequest function will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.
Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.
An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user’s password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as an Exchange user.
Apply an update
This issue is mitigated by the Microsoft Exchange updates for CVE-2019-0686. This update will cause the Exchange server to not attempt NTLM authentication with hosts that it contacts as the result of a PushSubscriptionRequest API call. The versions of Exchange that contain this fix include:
Disable EWS push/pull subscriptions
If you have an exchange server that does not leverage EWS push/pull subscriptions, you can block the PushSubscriptionRequest API call that triggers this attack. In an Exchange Management Shell window, execute the following commands:
New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0
Restart-WebAppPool -Name MSExchangeServicesAppPool
Remove privileges that Exchange has on the domain object
Please note that the following workaround was not developed by CERT and is not supported by Microsoft. Please test any workarounds in your environment to ensure that they work properly.
<https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/Fix-DomainObjectDACL.ps1> is a PowerShell script that can be executed on either the Exchange Server or Domain Controller system. By default this script will check for vulnerable access control entries in the current active directory. When executed with Domain Admin privileges and the -Fix
flag, this script will remove the ability for Exchange to write to the domain object.
Note that if you encounter an error about Get-ADDomainController not being recognized, you will need to install and import the ActiveDirectory PowerShell module, and then finally run Fix-DomainObjectDACL.ps1 :
Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
.\Fix-DomainObjectDACL.ps1
If the script reports that faulty ACE were found, run:
.\``Fix-DomainObjectDACL.ps1 -Fix
PowerShell may be configured to block the execution of user-provided .ps1
files. If this is the case, first find your current PowerShell execution policy:
Get-ExecutionPolicy
Temporarily allow the execution of the Fix-DomainObjectDACL.ps1
script by running:
Set-ExecutionPolicy unrestricted
Once you are finished running the Fix-DomainObjectDACL.ps1
script, set the policy back to the original value as reported by Get-ExecutionPolicy
:
Set-ExecutionPolicy [POLICY]
Consider additional workarounds
465632
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 26, 2019 Updated: February 20, 2019
Affected
Microsoft is aware of this vulnerability and is working on a resolution
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 7.5 | E:F/RL:W/RC:C |
Environmental | 7.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
This vulnerability was publicly disclosed by Dirk-jan Mollema.
This document was written by Will Dormann.
CVE IDs: | CVE-2019-0686 |
---|---|
Date Public: | 2019-01-21 Date First Published: |
dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
docs.microsoft.com/en-us/dotnet/api/microsoft.exchange.webservices.data.pushsubscription?view=exchange-ews-api+
docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pushsubscriptionrequest
docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/dd877045(v%3Dexchg.140)
msdn.microsoft.com/en-us/library/cc236702.aspx
msdn.microsoft.com/en-us/library/cc236707.aspx
portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0724
www.thezdi.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.076 Low
EPSS
Percentile
94.1%