11 March 2015
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0562 MS15-026: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege 11 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Exchange Server Publisher: Microsoft Operating System: Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-1632 CVE-2015-1631 CVE-2015-1630 CVE-2015-1629 CVE-2015-1628 Original Bulletin: https://technet.microsoft.com/en-us/library/security/MS15-026 - --------------------------BEGIN INCLUDED TEXT-------------------- Bulletin Number: MS15-026 Bulletin Title: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege Severity: Important KB Article: 3040856 Version: 1.0 Published Date: March 10, 2015 Description: This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker's website, and then convince them to click the specially crafted URL. Executive Summary This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker's website, and then convince them to click the specially crafted URL. This security update is rated Important for all supported editions of Microsoft Exchange Server 2013. Affected Software The following software versions or editions are affected. Microsoft Exchange Server 2013 Service Pack 1 Microsoft Exchange Server 2013 Cumulative Update 7 Vulnerability Information Multiple OWA XSS Vulnerabilities Elevation of privilege vulnerabilities exist when Microsoft Exchange Server does not properly sanitize page content in Outlook Web App. An attacker could exploit these vulnerabilities by modifying certain properties within Outlook Web App and then convincing users to browse to the targeted Outlook Web App site. An attacker who successfully exploited these vulnerabilities could run script in the context of the current user. The script could then, for example, use the victim's identity to take actions on the affected Outlook Web App site on behalf of the victim with the same permissions as the current user. Any system that is used to access an affected version of Outlook Web App would potentially be at risk to attack. The update addresses the vulnerabilities by correcting how Exchange Server sanitizes page content in Outlook Web App. For these vulnerabilities to be exploited, a user must click a specially crafted URL that takes the user to a targeted Outlook Web App site. In an email attack scenario, an attacker could exploit the vulnerabilities by sending an email message containing the specially crafted URL to the user of the targeted Outlook Web App site and convincing the user to click the specially crafted URL. In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL to the targeted Outlook Web App site that is used to attempt to exploit these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit these vulnerabilities. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker's website, and then convince them to click the specially crafted URL. Vulnerability title CVE number Publicly Disclosed Exploited OWA Modified Canary Parameter CVE-2015-1628 No No Cross Site Scripting Vulnerability ExchangeDLP Cross Site CVE-2015-1629 No No Scripting Vulnerability Audit Report Cross Site CVE-2015-1630 No No Scripting Vulnerability Exchange Error Message Cross CVE-2015-1632 No No Site Scripting Vulnerability Exchange Forged Meeting Request Spoofing Vulnerability - CVE-2015-1631 A spoofing vulnerability exists in Exchange Server when Exchange fails to properly validate meeting organizer identity when accepting or modifying meeting requests. An attacker who successfully exploited this vulnerability could then use the vulnerability to schedule or modify meetings while appearing to originate from a legitimate meeting organizer. Customers using affected versions of Exchange Server are at risk for this vulnerability. The update addresses the vulnerability by correcting the way Exchange validates meeting organizer authenticity when accepting, scheduling, or modifying meeting requests in Exchange calendars. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVP+aUxLndAQH1ShLAQKFAw/+Iko+PRAkQ5ZkBKN/yW1TJvBjFLPChne8 aADFtrdCin7Pc6Lwiq2bEccmB7JPkA/kgyIEDJHWi69HxuR1LU3n5HdiQ0Nqyawl 3Iw9RhD3m6s1R4BQbS2eLt36Ms+82kkCs4tQac8jK4YYqfubnxOJFypQoaIO6xHR t8b6IyLFvEn6ZgwicuZBKEz2ZPolEWltM7WbMLbjD40szIBV3OtL6H6R2lvDJSpT skSqxtjjD5u1tOgEjZckYNOAnN43cL3TD21Gc8xN7Z6Ikjq7GT7ZoR/av8EZHn4P j/2s2+HUOJM2OFo3Su7mccMIcx+Spw+kMffWjXMNeAVKxI4lQ4z9DjzasxXxI2fM YdP8y/utN6VpSVheDM6FsZmguA1LlY797ifZ9V412YX0+XljdvXvPsv2yujjMfpK dsHRhnywI3T0tZXu41MCdCYlpGLzNDg8od/UutaVPswb++kXVHJgh+opK8m6sCNS 4D3P6U9kz9CkBGfgbDZLRrXdZxwtTU/EN9gmAyBzB5bxLfPJYSOf8eCUfRv/TCOG DMYg5MBIS0y2h01rqRJUoaKMYvSjfW70+W/58yTb3OalvMzqL14HYW1cH5VVyiDW V4ghMPO+ePxisGWjtwHitvgk2/035xBjFDlfvYzQxtOV9BUDL7wQa+L1+ZoE2LgD sWBke2YTDgM= =nyiY -----END PGP SIGNATURE-----