Microsoft Exchange has quite a storied history of security vulnerabilities and breaches given its widespread usage in the corporate world. While there has not been much news regarding Exchange for a while, the Zero Day Initiative has found four vulnerabilities that, while not absolutely critical, could still pose a risk for opportunistic threat actors going after an organization.
A few days ago, the Zero Day Initiative disclosed four vulnerabilities in Microsoft Exchange. These vulnerabilities, outlined below, were initially disclosed to Microsoft on September 7th and 8th. However, Microsoft reportedly didn’t respond immediately, despite the potential of privilege escalation, sensitive information disclosure, or code execution.
- ZDI-23-1578 – A flaw within the ChainedSerializationBinder class with respect to improper user-supplied data validation could lead to code execution as SYSTEM.
- ZDI-23-1579 – A flaw within the DownloadDataFromUri method could allow an attacker to disclose sensitive information.
- ZDI-23-1580 – A flaw within the DownloadDataFromOfficeMarketPlace could allow an attacker to disclose sensitive information.
- ZDI-23-1581 – A flaw within the CreateAttachmentFromUri method could allow an attacker to disclose sensitive information.
Microsoft seemingly took some time to address these vulnerabilities as all of them require authentication to work, meaning an attacker needs valid Exchange credentials to exploit them. While there are numerous ways to get ahold of these credentials, such as through phishing, the problems can be easily mitigated as is. The ZDI posts explain that “Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.”
While this isn’t an excuse to ignore the vulnerabilities, they are not calamitous issues either. However, it does give the opportunity to review security best practices and ensure that your Exchange servers are up to date with the latest patches and are locked down to the point where these flaws are not going to be a problem.