Exchange 2013 or later fails to properly authenticate and validate certain requests, allowing a remote attacker with access to an Exchange mailbox to gain full Domain Administrative privileges. CVSS Base Score: 8.3
Likelihood of exploit success
Very high - all required exploit code is publicly available.
Monitor Domain Controller Security Events Logs for 4624 and 5136
Detection of possible exploitation of this is to monitor for Event ID 4624 on domain controllers. The events in question will originate from the NTLM authentication package under the Exchange server computer account (See SANS ISC Diary entry).
Additionally, event ID 5136 will show DACL modifications containing the targeted account’s SID (See SANS ISC Diary entry).
- Enable SMB and LDAP signing on affected infrastructure.
- If option 1 is not feasible, disable EWS push/pull subscriptions on affected Exchange servers.
- Monitor for related security event logs on domain controllers.
Enable SMB and LDAP signing
SMB and LDAP signing defeats this exploit completely.
Disable Exchange Web Services (EWS) push/pull subscriptions.
Disabling EWS push/pull subscriptions will defeat the exploit completely. EWS will still use streaming notifications to communicate with clients. This may negatively impact Exchange clients which rely on push/pull notification functionality. This will not affect ActiveSync clients.
Prevent Exchange server from connecting to your workstations
Outlook clients should connect to the Exchange server, but the server should not be connecting to your clients directly. Preventing uninitiated outbound communication from the server can increase the difficult of successful exploitation (See SANS ISC Diary entry). This can be a somewhat complex task for the uninitiated.
- Carnegie Mellon University CERT - VU#465632 Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks
- Dirk-jan Mollema - Abusing Exchange: One API call away from Domain Admin
- SANS ISC Diary - Relaying Exchange’s NTLM authentication to domain admin (and more)
- RandoriSec - From user to domain admin in less than 60sec
- Microsoft Office Dev Center: Notification subscriptions, mailbox events, and EWS in Exchange