Microsoft released a security advisory with mitigation measures and workarounds for an elevation of privilege vulnerability affecting Microsoft Exchange 2013 and newer which was made public by security researcher Dirk-jan Mollema, together with a proof-of-concept tool named PrivExchange.
Mollema’s PoC utility shows how would-be remote attackers could exploit this Microsoft Exchange Server vulnerability to gain the Exchange server’s admin privileges while only having the credentials of a single Exchange mailbox.
As better explained by Microsoft in the ADV190007 security advisory:
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
First of all, the PrivExchange elevation of privilege vulnerability only affects OnPrem deployments, while Exchange Online is not affected.
Secondly, on systems where the Windows Challenge/Response (NTLM) authentication protocol is disabled are not affected because it’s one of the three vulnerabilities used to trigger the privilege escalation.
Also, by implementing Active Directory Split Permissions, OnPrem deployments will also be immune to PrivExchange exploitation attempts.
EWS can be stopped from leaking the Exchange server’s NTLM credentials by blocking the creation of EWS subscriptions.
This could come with some negative and unexpected behavior affecting users of EWS-powered apps such as Outlook for Mac, Skype for Business, notification reliant LOB applications, as well as a number of iOS native email clients.
Also, according to Microsoft, “It may also reduce the number of EWS connections the server can support. Because throttling policies can be applied per user, it is possible to whitelist trusted users who require EWS functionality.”
As described in Microsoft’s ADV190007 security advisory, the next steps have to be followed to block EWS subscriptions from being created:
Create an organization-scoped policy that blocks all EWS subscriptions:
`New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0`
Create a regular-scoped policy, which can be used to whitelist trusted users who must have full EWS functionality:
`New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000`
Assign the regular policy to any such users:
`Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions`
Microsoft is also working on releasing an update to patch the PrivExchange elevation of privilege vulnerability.
Users who have added a throttling policy for EWSMaxSubscriptions using the procedure detailed above can remove it using the following command:
Remove-ThrottlingPolicy -Identity AllUsersEWSSubscriptionBlockPolicy