-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0562
       MS15-026: Vulnerabilities in Microsoft Exchange Server Could
                       Allow Elevation of Privilege
                               11 March 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Exchange Server
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1632 CVE-2015-1631 CVE-2015-1630
                   CVE-2015-1629 CVE-2015-1628 

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS15-026

- --------------------------BEGIN INCLUDED TEXT--------------------

Bulletin Number: MS15-026

Bulletin Title: Vulnerabilities in Microsoft Exchange Server Could Allow 
Elevation of Privilege

Severity: Important

KB Article: 3040856

Version: 1.0

Published Date: March 10, 2015

Description: This security update resolves vulnerabilities in Microsoft 
Exchange Server. The most severe of the vulnerabilities could allow elevation
of privilege if a user clicks a specially crafted URL that takes them to a 
targeted Outlook Web App site. An attacker would have no way to force users to
visit a specially crafted website. Instead, an attacker would have to convince
them to visit the website, typically by getting them to click a link in an 
instant messenger or email message that takes them to the attacker's website,
and then convince them to click the specially crafted URL.

Executive Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. 
The most severe of the vulnerabilities could allow elevation of privilege if a
user clicks a specially crafted URL that takes them to a targeted Outlook Web
App site. An attacker would have no way to force users to visit a specially 
crafted website. Instead, an attacker would have to convince them to visit the
website, typically by getting them to click a link in an instant messenger or
email message that takes them to the attacker's website, and then convince 
them to click the specially crafted URL.

This security update is rated Important for all supported editions of 
Microsoft Exchange Server 2013.

Affected Software

The following software versions or editions are affected.

Microsoft Exchange Server 2013 Service Pack 1

Microsoft Exchange Server 2013 Cumulative Update 7

Vulnerability Information

Multiple OWA XSS Vulnerabilities

Elevation of privilege vulnerabilities exist when Microsoft Exchange Server 
does not properly sanitize page content in Outlook Web App. An attacker could
exploit these vulnerabilities by modifying certain properties within Outlook 
Web App and then convincing users to browse to the targeted Outlook Web App 
site. An attacker who successfully exploited these vulnerabilities could run 
script in the context of the current user. The script could then, for example,
use the victim's identity to take actions on the affected Outlook Web App site
on behalf of the victim with the same permissions as the current user. Any 
system that is used to access an affected version of Outlook Web App would 
potentially be at risk to attack. The update addresses the vulnerabilities by
correcting how Exchange Server sanitizes page content in Outlook Web App.

For these vulnerabilities to be exploited, a user must click a specially 
crafted URL that takes the user to a targeted Outlook Web App site.

In an email attack scenario, an attacker could exploit the vulnerabilities by
sending an email message containing the specially crafted URL to the user of 
the targeted Outlook Web App site and convincing the user to click the 
specially crafted URL.

In a web-based attack scenario, an attacker would have to host a website that
contains a specially crafted URL to the targeted Outlook Web App site that is
used to attempt to exploit these vulnerabilities. In addition, compromised 
websites and websites that accept or host user-provided content could contain
specially crafted content that could exploit these vulnerabilities. An 
attacker would have no way to force users to visit a specially crafted 
website. Instead, an attacker would have to convince them to visit the 
website, typically by getting them to click a link in an instant messenger or
email message that takes them to the attacker's website, and then convince 
them to click the specially crafted URL.

Vulnerability title 		CVE number 	Publicly Disclosed 	Exploited

OWA Modified Canary Parameter 	CVE-2015-1628 	No 			No 
Cross Site Scripting 
Vulnerability

ExchangeDLP Cross Site 		CVE-2015-1629 	No 			No 
Scripting Vulnerability

Audit Report Cross Site 	CVE-2015-1630 	No			No
Scripting Vulnerability
	
Exchange Error Message Cross 	CVE-2015-1632	No 			No
Site Scripting Vulnerability 



Exchange Forged Meeting Request Spoofing Vulnerability - CVE-2015-1631

A spoofing vulnerability exists in Exchange Server when Exchange fails to 
properly validate meeting organizer identity when accepting or modifying 
meeting requests. An attacker who successfully exploited this vulnerability 
could then use the vulnerability to schedule or modify meetings while 
appearing to originate from a legitimate meeting organizer. Customers using 
affected versions of Exchange Server are at risk for this vulnerability. The 
update addresses the vulnerability by correcting the way Exchange validates 
meeting organizer authenticity when accepting, scheduling, or modifying 
meeting requests in Exchange calendars.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. When this security bulletin was issued, Microsoft 
had not received any information to indicate that this vulnerability had been
publicly used to attack customers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVP+aUxLndAQH1ShLAQKFAw/+Iko+PRAkQ5ZkBKN/yW1TJvBjFLPChne8
aADFtrdCin7Pc6Lwiq2bEccmB7JPkA/kgyIEDJHWi69HxuR1LU3n5HdiQ0Nqyawl
3Iw9RhD3m6s1R4BQbS2eLt36Ms+82kkCs4tQac8jK4YYqfubnxOJFypQoaIO6xHR
t8b6IyLFvEn6ZgwicuZBKEz2ZPolEWltM7WbMLbjD40szIBV3OtL6H6R2lvDJSpT
skSqxtjjD5u1tOgEjZckYNOAnN43cL3TD21Gc8xN7Z6Ikjq7GT7ZoR/av8EZHn4P
j/2s2+HUOJM2OFo3Su7mccMIcx+Spw+kMffWjXMNeAVKxI4lQ4z9DjzasxXxI2fM
YdP8y/utN6VpSVheDM6FsZmguA1LlY797ifZ9V412YX0+XljdvXvPsv2yujjMfpK
dsHRhnywI3T0tZXu41MCdCYlpGLzNDg8od/UutaVPswb++kXVHJgh+opK8m6sCNS
4D3P6U9kz9CkBGfgbDZLRrXdZxwtTU/EN9gmAyBzB5bxLfPJYSOf8eCUfRv/TCOG
DMYg5MBIS0y2h01rqRJUoaKMYvSjfW70+W/58yTb3OalvMzqL14HYW1cH5VVyiDW
V4ghMPO+ePxisGWjtwHitvgk2/035xBjFDlfvYzQxtOV9BUDL7wQa+L1+ZoE2LgD
sWBke2YTDgM=
=nyiY
-----END PGP SIGNATURE-----