Microsoft Confirms Serious ‘PrivExchange' Vulnerability (Feb 6, 2019)
A high-severity privilege escalation flaw in Microsoft's Exchange Server has been confirmed to exist by the company. Both Microsoft and the US-CERT released official warnings regarding the flaw, called "PrivExchange." The flaw is a result of the default setting in the Microsoft Exchange Server and the mail and calendar server that could allow a threat actor with a basic mailbox account to execute a Man-in-the-Middle (MITM) attack utilising one of two python-based tools: "privexchange.py" and "ntlmrelayx.py." These tools would forward an authentication request to a Microsoft Exchange Server that could allow impersonation of another Exchange user, and allow the threat actor to obtain domain administrator privileges. Domain administrator privileges allow the user access to the full Exchange Server and the ability to perform almost any task on the server. Only users with "OnPrem" deployments are at risk; Exchange Online is not affected. Microsoft is currently developing a patch.
Recommendation: While a patch is being created, Microsoft said there are some workarounds that can be used to reduce the risk of exploitation, though there are no hard solutions. The workaround can be used requires a user to define and apply "Throttling Policy" for EWSMaxSubscriptions to be a value of zero. This would basically limit the subscriptions allowed to pull through services to none and thus, block the server from sending any notifications and prevent the client applications from functioning normally. For more information regarding the vulnerability and the workaround, see Microsoft's advisory here: "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007"
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.