-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0285
  Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks
                              31 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Exchange Server 2013
                   Microsoft Exchange Server 2016
                   Microsoft Exchange Server 2019
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Mitigation

Original Bulletin: 
   https://www.kb.cert.org/vuls/id/465632/

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks

Vulnerability Note VU#465632

Original Release Date: 2019-01-28 | Last Revised: 2019-01-30


Overview

Microsoft Exchange 2013 and newer fail to set signing and sealing flags on NTLM
authentication traffic, which can allow a remote attacker to gain the
privileges of the Exchange server.


Description

Microsoft Exchange supports a API called Exchange Web Services (EWS). One of
the EWS API functions is called PushSubscriptionRequest, which can be used to
cause the Exchange server to connect to an arbitrary website. Connections made
using the PushSubscriptionRequest function will attempt to negotiate with the
arbitrary web server using NTLM authentication. Starting with Microsoft
Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and
Seal flags. The lack of signing makes this authentication attempt vulnerable to
NTLM relay attacks.

Microsoft Exchange is by default configured with extensive privileges with
respect to the Domain object in Active Directory. Because the Exchange Windows
Permissions group has WriteDacl access to the Domain object, this means that
the Exchange server privileges obtained using this vulnerability can be used to
gain Domain Admin privileges for the domain that contains the vulnerable
Exchange server.


Impact

An attacker that has credentials for an Exchange mailbox and also has the
ability to communicate with both a Microsoft Exchange server and a Windows
domain controller may be able to gain domain administrator privileges. It is
also reported that an attacker without knowledge of an Exchange user's password
may be able to perform the same attack by using an SMB to HTTP relay attack as
long as they are in the same network segment as an Exchange user.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.
Please consider the following workarounds:

Disable EWS push/pull subscriptions

If you have an exchange server that does not leverage EWS push/pull
subscriptions, you can block the PushSubscriptionRequest API call that triggers
this attack. In an Exchange Management Shell window, execute the following
commands:

    New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope
    Organization -EwsMaxSubscriptions 0
    Restart-WebAppPool -Name MSExchangeServicesAppPool


Remove privileges that Exchange has on the domain object

Please note that the following workaround was not developed by CERT and is not
supported by Microsoft. Please test any workarounds in your environment to
ensure that they work properly.

https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/Fix-DomainObjectDACL.ps1
is a PowerShell script that can be executed on either the Exchange Server or
Domain Controller system. By default this script will check for vulnerable
access control entries in the current active directory.  When executed with
Domain Admin privileges and the -Fix flag, this script will remove the ability
for Exchange to write to the domain object.

Note that if you encounter an error about Get-ADDomainController not being
recognized, you will need to install and import the ActiveDirectory PowerShell
module, and then finally run Fix-DomainObjectDACL.ps1 :

    Import-Module ServerManager
    Add-WindowsFeature RSAT-AD-PowerShell
    Import-Module ActiveDirectory
    .\Fix-DomainObjectDACL.ps1


If the script reports that faulty ACE were found, run:

    .\Fix-DomainObjectDACL.ps1 -Fix


PowerShell may be configured to block the execution of user-provided .ps1
files. If this is the case, first find your current PowerShell execution
policy:

    Get-ExecutionPolicy

Temporarily allow the execution of the Fix-DomainObjectDACL.ps1 script by
running:

    Set-ExecutionPolicy unrestricted

Once you are finished running the Fix-DomainObjectDACL.ps1script, set the
policy back to the original value as reported by Get-ExecutionPolicy:

    Set-ExecutionPolicy [POLICY]

Consider additional workarounds

The blog post for this vulnerability contains several mitigations that may also
help protect against this and similar vulnerabilities.


CVSS Metrics

    Group     Score            Vector
Base          8.3   AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal      7.5   E:F/RL:W/RC:C
Environmental 7.5   CDP:ND/TD:H/CR:ND/IR:ND/AR:ND


References

  o https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
  o https://www.thezdi.com/blog/2018/12/19/
    an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange
  o https://docs.microsoft.com/en-us/dotnet/api/microsoft.exchange.webservices.data.pushsubscription?view=exchange-ews-api+
  o https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pushsubscriptionrequest
  o https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/dd877045(v%3Dexchg.140)
  o https://msdn.microsoft.com/en-us/library/cc236702.aspx
  o https://msdn.microsoft.com/en-us/library/cc236707.aspx

Credit

This vulnerability was publicly disclosed by Dirk-jan Mollema.

This document was written by Will Dormann.

Other Information

CVE IDs:                     None
Date Public:                 2019-01-21
Date First Published:        2019-01-28
Date Last Updated:           2019-01-30 19:30 UTC
Document Revision:           28

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXFKMf2aOgq3Tt24GAQgnzg/9GI9G9gzte7nq29WYXXBiLfHCEvVMuX0x
NyUXb3W48KF/o82qObKm5a3REZjUIS1F+twCkxgEzbQfkBDz0DMuUTe7a+ZBAd4w
6TuBGlTiF4d4xc2JZAQg4vR0/mjBLel+by/RKgZFuMeHKzCLIKAhJaJJbAe14+sQ
+8mpDEqfHH33BbowFD+PikUTeVLlYBi60Q+hYMxZ1WCw1I7il+KOtPec9xTsENL6
hdI5m7rqv03ClEI0I64F5VZP9X4jq+89Nlaf2Jn0TbmdReoeWobZ598NcAVKBYq1
16nQrSoRTgEEnGqvX0Kh9nRr5BvKsI5G4mwkUmgq3mfZ+qeRlu3IZL9w5XusM+dd
Tah4dlmfn1QNO1hYoMIWFosqwKs7klSrG4A/EcdWBc+qXmP0hg4MgYlvUb6FMdN5
KafM7ctfcyItN4tSLeko3c2q5y2PlgKk+qrVJNOAttSBBRbiMlxQbocMryx+hYlf
OGtg0jQmF7pCo74OFk9/+Z5lYu58XO2D9LXVuWDRt8oQsWoJceUgKoyhlD9iwABj
8Yz84bxmxD1Lw4SbCOFkgrtPeFY8Us0zK2gDhY3llDY3NhjkQXGzBk+o7JzR14bf
5I+8tIal4iXKvBjtHN6pJxauvYGLEPTLIxja6T4XRs+ILuqcLAykbCApFZE2VcM7
HUf9ibHgnM8=
=epxV
-----END PGP SIGNATURE-----