Alert - Microsoft Exchange Privilege Escalation

Number: AL19-004
Date: 30 January 2019

Purpose

An ALERT is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. (The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this ALERT to recipients as requested.)

Assessment

The goal of this Alert is to bring heightened attention to a Microsoft Exchange Privilege Escalation vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. disclosed on 21 January 2019, affecting Exchange 2013 through 2016 versions. There is currently no patch available.

Using stolen credentials, a malicious actor who has the ability to communicate with both a Microsoft Exchange server and a Windows Domain Controller on the same domain may be able to gain domain administrator privileges. It is also reported that a malicious actor may be able to exploit the same vulnerability by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server, even if they only have a valid login credential without a password.

This vulnerability is a combination of three (default) settings and mechanisms that a malicious actor can abuse to escalate privileges from any email account to a domain administrator.

The three issues are as follows:

• Exchange servers have high privileges by default in a domain.
• NTLM authentication can be relayed.
• Exchange servers can be asked to authenticate to an arbitrary IP using the EWS (Exchange Web Services) PushSubscription feature.

Suggested action

• Consider disabling EWS push/pull subscriptions if they are not required.
• Enable LDAP signing and LDAP channel binding to prevent relaying to LDAP and LDAPS respectively.
• Use an internal firewall to prevent Exchange from connecting to workstations - typically workstations should connect to Exchange, not the opposite. This makes exploitation more difficult to accomplish.
• Enable Extended Protection for Authentication on the Exchange endpoints in IIS. This will verify the channel binding parameters in the NTLM authentication, which ties NTLM authentication to a TLS connection and prevent relaying to Exchange web services.
• Remove the registry key which makes relaying back to the Exchange server possible, as discussed in Microsoft mitigation for CVE-2018-8518.
• Enforce SMB signing on Exchange servers (and preferable all other servers and workstations in the domain) to prevent cross-protocol relay attacks to SMB.
• Remove unnecessary high privileges that Exchange may have on Domain object (this is not supported by Microsoft and may break some instances).
• Monitor the Domain Controllers logs for event 5136 and search for the following GUID:
  • 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
  • 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
  • 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set)
• Monitor the Domain Controllers logs for the following event to detect NTLM relay attacks where Exchange server's credentials were used. The Source Network Address field will show the IP address of the attacker:
  • EventCode=4624
  • LogonType=3
  • Authentication Package=NTLM
  • Account Name = YOUREXCHANGESERVER$

References

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-3.5/dd767318(v=vs.90)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

Note to readers

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.