Exchange 2013 or later fails to properly authenticate and validate certain requests, allowing a remote attacker with access to an Exchange mailbox to gain full Domain Administrative privileges.

CVSS Base Score: 8.3

Likelihood of exploit success

Very high – all required exploit code is publicly available.

Detections available

Monitor Domain Controller Security Events Logs for 4624 and 5136

Detection of possible exploitation of this is to monitor for Event ID 4624 on domain controllers. The events in question will originate from the NTLM authentication package under the Exchange server computer account (See SANS ISC Diary entry).

Additionally, event ID 5136 will show DACL modifications containing the targeted account’s SID (See SANS ISC Diary entry).

Recommended Defense

Enable SMB and LDAP signing on affected infrastructure.
If option 1 is not feasible, disable EWS push/pull subscriptions on affected Exchange servers.
Monitor for related security event logs on domain controllers.

Mitigations available

Enable SMB and LDAP signing

SMB and LDAP signing defeats this exploit completely.

Disable Exchange Web Services (EWS) push/pull subscriptions.

Disabling EWS push/pull subscriptions will defeat the exploit completely. EWS will still use streaming notifications to communicate with clients. This may negatively impact Exchange clients which rely on push/pull notification functionality. This will not affect ActiveSync clients.

Prevent Exchange server from connecting to your workstations

Outlook clients should connect to the Exchange server, but the server should not be connecting to your clients directly. Preventing uninitiated outbound communication from the server can increase the difficult of successful exploitation (See SANS ISC Diary entry). This can be a somewhat complex task for the uninitiated.

References

Carnegie Mellon University CERT – VU#465632 Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks
Dirk-jan Mollema – Abusing Exchange: One API call away from Domain Admin
SANS ISC Diary – Relaying Exchange’s NTLM authentication to domain admin (and more)
RandoriSec – From user to domain admin in less than 60sec
Microsoft Office Dev Center: Notification subscriptions, mailbox events, and EWS in Exchange