ngCERT Advisory Microsoft Exchange 2013 and Newer are vulnerable to NTLM relay attacks

Risk:
high
Damage:
high
Platform(s):
Microsoft® Exchange Server 2013
Advisory ID:
ngCERT-2019-0002
Version:
1.00
CVE:
CVE-2019-558
Published:
January 17, 2020

Summary


ngCERT Advisory Microsoft Exchange 2013 and Newer are vulnerable to NTLM relay attacks

Description & Consequence


OVERVIEW WinRAR is a trialware file archiver utility for Windows which can create and view archives in RAR or ZIP file formats and unpack numerous archive file formats. Description and Consequences According to the WinRAR website, over 500 million users worldwide make WinRAR the world’s most popular compression too. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable systems before they can be patched, when a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run.

Solution


The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds: 1. Disable EWS push/pull subscriptions If you have an exchange server that does not leverage EWS push/pull subscriptions, you can block the PushSubscription API call that triggers this attack. In an Exchange Management Shell window, execute the following commands: New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0 Restart-WebAppPool -Name MSExchangeServicesAppPool 2. Remove privileges that Exchange has on the domain object

Reference


  1. https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
  2. https://www.thezdi.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange
  3. https://docs.microsoft.com/en-us/dotnet/api/microsoft.exchange.webservices.data.pushsubscription?view=exchange-ews-api+
  4. https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/dd877045(v%3Dexchg.140)
  5. https://msdn.microsoft.com/en-us/library/cc236702.aspx
  6. https://msdn.microsoft.com/en-us/library/cc236707.aspx

Revision


Related Articles