4 New Zero-Day Vulnerabilities Identified in Microsoft Exchange

In the statement made by The Zero Day Initiative (ZDI), it was reported that 4 new zero-day vulnerabilities were detected in the Microsoft Exchange product. All four vulnerabilities are authenticated, and 3 of these vulnerabilities are in the Server Side Request Forgery category and 1 is in the Remote Code Execution vulnerability category. In the statement made by ZDI; It was reported that the vulnerabilities reported to the manufacturer in September 2023 were evaluated by the manufacturer as "does not require immediate servicing" and the vulnerabilities have not yet been resolved.

Vulnerabilities found by @chudyPB vulnerability researcher at the zero day initiative

I found SSRFs in Exchange OWA, which are not going to be fixed in the near future (or may not be fixed at all). One of them allows to retrieve response content through the email attachments🙃 https://t.co/emutdfnNdS

— Piotr Bazydło (@chudyPB) November 2, 2023 

Server Side Request Forgery (SSRF) vulnerability allows servers to communicate with a third network address as a result of operations performed on the servers. This vulnerability allows the server to receive malicious codes placed on a third network address controlled by the attacker. For this reason, SSRF vulnerability is a vulnerability that can lead to further exploitation.

Remote Code Execution (RCE) vulnerability is a vulnerability in which the attacker can somehow execute code on the remote server. An attacker who can run commands on the server with the rights of the exploited service can exploit this vulnerability to gain persistence, perform privilege escalation attacks, steal information, change settings, perform ransomware attacks and have many other opportunities.

There is no mitigation technique yet. Vulnerabilities can already be exploited by authenticated users. The best thing to do under these circumstances is to make frequent backups and monitor the servers to detect anomalies. Since three of the vulnerabilities are SSRF, network traffic originating from the server should be monitored and abnormal connections should be detected. To prevent the exploitation of this vulnerability, hardening the firewall rules will be useful.

NOTE: External traffic must be blocked on Microsoft Exchange servers.

Since one of the vulnerabilities is RCE, commands executed by all users (including service accounts) on the system should be monitored and in case of an abnormal situation, the relevant user's account should be disabled. Changes on settings files should be strictly tracked and newly created users should be monitored. But unfortunately, a cyber attacker who exploits this vulnerability can run commands on the server with SYSTEM service rights. Additionally, with the ability to run commands on a server, a cyber attacker can attack other internal servers using the Microsoft Exchange server.

The fact that vulnerabilities can only be exploited by authenticated users may give IT employees a false sense of security, but it should not be forgotten that; In recent years, cyber attackers, who have captured the usernames and passwords of many users with malwares called "stealer", use the usernames and passwords they captured to exploit such zero-day vulnerabilities. Additionally, users' information may fall into the hands of cyber attackers through techniques such as phishing and social engineering. For this reason, if it is not absolutely necessary, limit access to the server to only your country and block access abroad.

The CVSS 3.0 score of the four zero-day vulnerabilities disclosed by ZDI ranges from 7.1 to 7.5, all corresponding to a “High” danger status.

Microsoft made the following statement: “We've reviewed these reports and have found that they have either already been addressed or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate them in future product versions and updates as appropriate,”

Keep an eye on the servers and tighten access until Microsoft releases an update package that fixes these zero-day vulnerabilities.

Learn about current cyber security threats and precautions to be taken by constantly following securityforeveryone.com