佚名MYHACK58:62201992717Exchange Server mention the right vulnerability alerts-a vulnerability alert-the black bar safety net
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.052 Low
EPSS
Percentile
92.2%
0x00 vulnerability background
The vulnerability to the MSRC in 2018 年 11 月 13 published a can on the Exchange Server to achieve elevation of privilege vulnerability number CVE-2018-8581。 According to the MSRC of the vulnerability description information that the attacker successfully exploits this vulnerability can achieve the control of the Exchange Server to any user of the effect. Then ZDI in 2018 12 November 19 published a blog post published in the vulnerability of the technical details and the use of methods that exploit the effect achieved with the MSRC of the vulnerability the description is the same. Recently, there are foreign security researchers-binding domain of attack skills to a new use, and on their blog disclosed a new way of utilizing the technical details and use the code. For the vulnerability of the new use patterns can directly impact to pre-control, and the official has not introduced corresponding to the repair patch, serious harm, 360CERT recommended to use the Exchange Server the user should as soon as possible to take corresponding mitigation measures on the vulnerability protection.
0x01 affect the scope of the
Microsoft Exchange Server 2010
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
0x02 mitigation measures
MSRC for the vulnerability given the mitigation measures is in the registry delete the DisableLoopbackCheck key value, with administrator privileges in the Command Prompt window execute the following command
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableLoopbackCheck /f
For the new use need to use LDAP relay attacks, by enabling LDAP signing mechanism and the LDAP channel binding mechanism for relief. At the same time, the relay attack is from HTTP to the LDAP, via the Exchange Server on the mandatory SMB signing is enabled mechanisms can also play a relieve role.
0x03 timeline
2018-11-13 MSRC disclosure vulnerability
2018-12-19 ZDI blog post disclosure of exploit details
2019-01-21 security researchers disclosed a new use
2019-01-23 360CERT for the new use of way early warning
Related
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.052 Low
EPSS
Percentile
92.2%