Microsoft Exchange is currently under threat due to four newly discovered zero-day vulnerabilities, which attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations. These vulnerabilities were disclosed by Trend Micro’s Zero Day Initiative (ZDI) on September 7th and 8th, 2023. Despite their potential threat, Microsoft has chosen to delay the servicing of these flaws, a decision that has sparked controversy within the cybersecurity community.

The vulnerabilities, each assigned a unique tracking ID by ZDI, are as follows:

  • ZDI-23-1578: This remote code execution (RCE) flaw resides in the ‘ChainedSerializationBinder’ class. It arises due to insufficient validation of user data, allowing attackers to deserialize untrusted data. Successful exploitation allows an attacker to execute arbitrary code as ‘SYSTEM,’ the highest level of privileges on Windows.
  • ZDI-23-1579: This flaw is located in the ‘DownloadDataFromUri’ method and stems from inadequate validation of a URI before resource access. It allows attackers to access sensitive information from Exchange servers.
  • ZDI-23-1580: This vulnerability, found in the ‘DownloadDataFromOfficeMarketPlace’ method, also arises from improper URI validation, potentially leading to unauthorized information disclosure.
  • ZDI-23-1581: Located in the ‘CreateAttachmentFromUri’ method, this flaw mirrors the previous bugs with inadequate URI validation, risking sensitive data exposure.

While these vulnerabilities require authentication for exploitation, reducing their CVSS severity rating to between 7.1 and 7.5, it is crucial not to underestimate their potential damage. Cybercriminals have various methods to obtain Exchange credentials, including brute-forcing weak passwords, conducting phishing attacks, or purchasing them from info-stealer logs.

Mitigation

The most concerning vulnerability is ZDI-23-1578 (RCE), which could result in a complete system compromise if exploited. As a mitigation strategy, ZDI suggests restricting interaction with Exchange apps, but this could be highly disruptive for businesses and organizations relying on the product.

In addition to this, implementing multi-factor authentication can provide an extra layer of security, preventing cybercriminals from accessing Exchange instances even when account credentials have been compromised.

Microsoft responds

In response to the vulnerabilities, a Microsoft spokesperson stated to BleepingComputer: “We appreciate the work of this finder submitting these issues under coordinated vulnerability disclosure, and we’re committed to taking the necessary steps to help protect customers.”

Microsoft further clarified that customers who applied the August Security Updates are already protected against ZDI-23-1578. The remaining vulnerabilities (ZDI-23-1579, ZDI-23-1580, and ZDI-23-1581) require prior access to email credentials and do not present an immediate threat according to Microsoft’s severity classification guidelines.

In conclusion, while Microsoft has downplayed the severity of these vulnerabilities and delayed their fixes, it is essential for businesses and organizations using Microsoft Exchange to remain vigilant. Implementing robust security measures such as multi-factor authentication and keeping abreast of the latest security updates can help mitigate potential threats.

Stop zero-day attacks on Exchange Server with Messageware Z-Day Guard

Messageware Z-Day offers next generation threat hunting. Protect your Microsoft Exchange servers against zero day attacks. Z-Day detects changes to the environment that indicate the dropping of Command and Control (C&C) web shells. C&C web shells commonly reach out to the internet, enabling remote access to your network.

Z-Day is a server protection solution focused on detection, alerting, and response (MDR/MDAR) to zero-day attacks and server penetrations. Messageware Z-Day actively protects servers using embedded monitoring technology that cannot be turned off by malicious software.