14 DAY TRIAL // Microsoft has acknowledged a vulnerability in Microsoft Exchange Server that would allow an attacker to impersonate a user who already has access to the exposed server.
The company says the elevation of privilege flaw affects Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 26, Microsoft Exchange Server 2013 Cumulative Update 22, Microsoft Exchange Server 2016 Cumulative Update 12, and Microsoft Exchange Server 2019 Cumulative Update 1.
“To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user,” Microsoft explains.
In an advisory today, the US-CERT warns that an attacker who successfully exploits the flaw can take control of an affected system and recommends users to check Microsoft’s technical document on the vulnerability.
Full patch next week?
The workarounds proposed by Microsoft involve configuring throttling policy for EWSMaxSubscriptions and set to value zero.
“This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally. Examples of impacted applications include Outlook for Mac, Skype for Business, notification reliant LOB applications, and some iOS native mail clients,” the software giant notes.
Microsoft hasn’t announced a full fix for the vulnerability, but this is likely to be released next week as part of the company’s Patch Tuesday cycle for February 2019. Security fixes for other Microsoft products, including Windows 10 cumulative updates, are also projected to be published on February 12.
At the time of writing this article, there are no details regarding any possible successful attacks, but system administrators are recommended to secure the servers in order to prevent any exploits, especially now when the vulnerability is gaining more exposure.
Full instructions to apply the workarounds are available on Microsoft’s advisory page linked above.