Zero-Day Vulnerabilities in Microsoft Exchange: A Deep Dive. As we spotlight the active threats, we aim to dissect the anatomy of the vulnerabilities and offer insights into the immediate risks users face. What is more, we pinpoint the protective measures in the ever-evolving cyber threat landscape. So, this article explains the newly-found Exchange Server zero-day vulnerabilities. And how hackers exploit them, and how to secure our Exchange Server from them.
Zero-Day Vulnerabilities in Microsoft Exchange: A Deep Dive
A zero-day vulnerability refers to a security flaw in software that is unknown to the vendor and has not been patched or mitigated. It earns its name from the fact that developers have had zero days to address the issue, leaving systems vulnerable to exploitation by cyber attackers. These vulnerabilities are particularly concerning because they can be exploited immediately upon discovery, often before developers are even aware of their existence. As a result, zero-day vulnerabilities pose significant risks to digital systems, potentially leading to unauthorized access, data breaches, and other forms of cyber attacks.
Within Microsoft Exchange, we must understand the role and impact of organizations that detect Zero-Day vulnerabilities like the Zero-Day Initiative.
What is the Zero Day Initiative?
The Zero-Day Initiative (ZDI) is a critical player in cybersecurity, actively identifying and mitigating software vulnerabilities. Initiated by Trend Micro, ZDI’s mission is to proactively discover and resolve zero-day vulnerabilities. Flaws exploited by malicious actors before developers address them. ZDI employs a meticulous approach to vulnerability research, with experts systematically scrutinizing software codes to pinpoint potential weaknesses.
ZDI is committed to responsible disclosure; upon identifying a vulnerability, it collaborates with the affected vendor to develop a patch before making the findings public. This strategy addresses immediate risks and fosters a culture of shared responsibility within the cybersecurity community. Furthermore, ZDI goes beyond identification by incentivizing global researchers to contribute their findings.
Through a competitive program, ZDI rewards researchers for submitting high-quality vulnerability reports, creating a network of experts globally contributing to the collective defense against emerging threats. The Zero-Day Initiative is a vital link between vulnerability discovery and remediation, emphasizing the importance of early detection and collaborative action in securing digital ecosystems. Understanding the role of organizations like ZDI becomes paramount as we navigate the intricate landscape of zero-day vulnerabilities within Microsoft Exchange, fortifying our defences against evolving cyber threats.
Microsoft Exchange New Zero-Day Vulnerabilities
Microsoft Exchange Server, a widely adopted email and calendar platform, faces recurrent cyber threats aimed at compromising sensitive data. Independent researchers from the Zero Day Initiative recently uncovered four novel zero-day vulnerabilities affecting the Exchange Server: ZDI-23-1578, ZDI-23-1579, ZDI-23-1580, and ZDI-23-1581. These vulnerabilities, requiring authentication for exploitation, empower an attacker to execute remote code or disclose information on the Exchange Server.
Exploiting these vulnerabilities enables remote code execution (RCE), allowing attackers to run arbitrary commands on the server. Additionally, information disclosure permits access to sensitive data or files. The consequences are severe, ranging from pilfering emails, contacts, and calendars to installing malware, ransomware, or backdoors on the server.
The detailed breakdown of these vulnerabilities is as follows:
- ZDI-23-1578: This flaw resides in the ChainedSerializationBinder class, where inadequate validation of user data facilitates remote code execution (RCE) by enabling attackers to deserialize malicious data. Exploiting this flaw allows attackers to run any code with SYSTEM privileges, the highest on Windows.
- ZDI-23-1579: A flaw in the DownloadDataFromUri method allows attackers to obtain sensitive information from Exchange servers by bypassing proper URI validation.
- ZDI-23-1580: This vulnerability emerges from faulty URI validation in the DownloadDataFromOfficeMarketPlace method, potentially leading to unauthorized disclosure of information.
- ZDI-23-1581: In the CreateAttachmentFromUri method, poor URI validation exposes sensitive data and may result in a Server Side Request Forgery (SSRF) during attachment insertion.
These revelations underscore the critical need for prompt security measures and vigilant patching to safeguard against potential exploitation, reinforcing the ongoing challenges posed by evolving cyber threats to Microsoft Exchange users.
How Hackers Can Exploit These Vulnerabilities
To exploit these vulnerabilities, the attacker must possess valid credentials for accessing the Exchange Server. This process means the attacker must have the username and password of an Exchange user or administrator. Cybercriminals have many ways of compromising user credentials.
For example, hackers compromise credentials through phishing and brute-force attacks. Once the attacker has the credentials, the send specially crafted requests to the Exchange Server, using the vulnerabilities to execute code or disclose information. The attacker also chains the vulnerabilities together, using one to gain access to another and increase the attack’s impact.
- ZDI-23-1578:
- Allows the attacker to execute code as SYSTEM on the Exchange Server.
- ZDI-23-1579, ZDI-23-1580, ZDI-23-1581:
- Enables the attacker to access information from the Exchange Server or others on the network.
- Alternative Scenario:
- The attacker can use ZDI-23-1579, ZDI-23-1580, or ZDI-23-1581 to access information from the Exchange Server.
- Subsequently, the attacker can utilize ZDI-23-1578 to execute code on the Exchange Server.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of reports available to gain control of your IAM.
Improve your AD & Entra ID security & compliance.
Securing Our Exchange Server From Vulnerabilities
To safeguard our Exchange Server against zero-day vulnerabilities, update our Exchange Server software promptly. Obtain these updates from the Microsoft Security Response Center or the Microsoft Update service. Additionally, we routinely monitor our Exchange Server logs for any indications of compromise or suspicious activities.
While immediate updates are crucial, a comprehensive security strategy should extend beyond addressing known vulnerabilities to fortify our Exchange Server against potential future cyber threats. Implementing multi-factor authentication (MFA) for users and administrators is paramount. MFA mandates multiple verification forms, such as a FIDO security key, password, mobile app, or user fingerprint, enhancing security by requiring more than one piece of evidence to verify user identity.
MFA significantly raises the bar for attackers attempting to access the Exchange Server, even if they possess the password. The additional layer of authentication poses a formidable challenge, as cybercriminals must overcome the second factor’s hurdle, reinforcing our Exchange Server’s overall resilience against potential security breaches.
Enable Microsft 365 Multi-Factor Authentication
A security feature in Office 365 called multi-factor authentication (MFA) verifies if the user attempting to access Exchange Online is the same person who owns the account. These features let us strengthen the security of the Exchange Online account.
Add MFA Office 365 for Single User
3. Choose the checkbox corresponding to the Office 365 user for whom MFA is to be enabled. Upon selecting the mailbox, a new window appears on the right side.
4. Select the Enable option, click Enable Multi-Factor Auth, and then close the window. Our setup for MFA on the Office 365 account is now complete.
Bulk Enable Multi-Factor Authentication
1. To enable multiple MFAs for multiple users, we need to create a CSV file with the following details in the given format and save it in .csv format.
2. Hit the Bulk Update button on the multi-factor authentication factor page.
3. Click on the Browse For File button and insert the CSV. Click the Next Arrow, and it validates the CSV. Once verified again, hit the next arrow and press the Done button. This step assigns MFA to all mailboxes for Exchange Online mentioned in the CSV.
Choosing an Authentication Method
Once we have assigned MFA for the Exchange Online mailboxes, we need to choose the method for verification at the type of Office 365 account login process. After enabling the MFA to Exchange Online mailbox, we need to log in to the assigned MFA mailboxes and set up the verification method. As we open those accounts, it asks to provide the additional security verification type.
There are 2 options to boost our Office 365 account security:
- Authentication Phone: we must provide our mobile number with the country code. Click Next; to let our phone number get registered to our Office 365 account. After this step, we get a code, type the code, and hit the Verify button. At last, we get a code we need to keep.
- Mobile App: set the Microsoft Authenticator app on our mobile phone. Install and sign in to the mobile app. Click on the Setup. Once we click the Setup button, we get the QR code on the screen, which we need to scan from our mobile app. Click on Next. This process sets up MFA for Office 365 users.
Enabling M365 MFA with PowerShell
Before assigning Office 365 MFA using Windows PowerShell, we must fulfil a few pre-requirements. Below are some pre-requisites:
- The latest version of the .NET Framework
- Microsoft Online Service Sign-in Assistant for IT Professionals RTW
- Azure Active Directory Module for PowerShell (64-bit version)
Now, follow the below steps to set up MFA for Office 365 Exchange Online with PowerShell:
1. Get all the policies to run Office 365 in remote areas.
Get-ExecutionPolicy
If the outcome is showing unrestricted, then type the below command:
Set-ExecutionPolicy Unrestricted –Scope CurrentUser
2. Now connect PowerShell to the Exchange Online using the command and enter O365 login credentials.
$UserCredential = Get-Credential
3. Import Online Service and connect it to Office 365.
Import-Module MSOnline
Connect-MsolService –Credential $UserCredential
4. Now, again, execute the below command.
$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"
5. Select the MFA status as Enabled.
$auth.State = "Enabled"
$auth.RememberDevicesNotIssuedBefore = (Get-Date)
6. Finally, set up MFA.
For single users:
Set-MsolUser -UserPrincipalName - StrongAuthenticationRequirements $auth
For multiple users:
Get-MsolUser –All | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $auth}
7. Login to the user account to which we have assigned the MFA and provide the information for the 2-step verification process.
Zero-Day Vulnerabilities in Microsoft Exchange Conclusion
In conclusion, exploring zero-day vulnerabilities in Microsoft Exchange unveils a dynamic landscape of persistent cyber threats. As we navigate the intricate details of these exploits and the crucial role played by the Zero-Day Initiative, it becomes evident that proactive measures, such as immediate software updates and the integration of multi-factor authentication, are imperative for fortifying the resilience of Exchange Servers. By embracing a vigilant approach and staying ahead of emerging threats, organizations navigate the evolving cybersecurity terrain with heightened resilience and confidence.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
Related posts:
- Office 365 Exchange Online: Set Up and Manage Exchange Online
- Windows Server Patch Management: How to Keep Windows Server Secure & Up-to-Date
- How to Check if MFA is Enabled in Office 365 for Users
- Implementing MFA in Microsoft Exchange Server
- Office 365 MFA Enabled vs Enforced — What’s the Difference?