Microsoft has released a new security advisory for an Elevation of Privilege vulnerability “PrivExchange” that impacts multiple versions of Microsoft Exchange Server.
A planned update is under development, but Microsoft has provided some workarounds to help mitigate the threat in the mean time. The issue affects on premise installations of Exchange and does not affect Exchange Online.
An excerpt of the vulnerability as stated in the advisory (ADV190007):
“An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.”
To address the vulnerability, Microsoft said that a Throttling Policy for EWSMaxSubscriptions could be defined and applied to the organization with a value of zero. This will prevent the Exchange server from sending out EWS notifications.
In addition, blocking EWS subscriptions from being created can help prevent EWS from leaking the Exchange server’s NTLM credentials.
Organizations should be warned, however, that this change could cause negative impact to the functionality of client apps that rely on EWS notifications (such as Outlook for Mac, Skype for Business Client, Apple Mail Clients and some third-party apps).
Microsoft also references the issue in a blog Abusing Exchange: One API call away from Domain Admin, as well as related workarounds such as disabling NTLM and implementing Active Directory Split Permissions.