back to article You're an admin! You're an admin! You're all admins, thanks to this Microsoft Exchange zero-day and exploit

Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin. On Thursday, Dirk-jan Mollema, a security researcher with Fox-IT in the Netherlands, published proof-of-concept code and an explanation of the attack, which involves the interplay …

  1. gerdesj Silver badge
    Windows

    Possible quick fix

    "and enforcing SMB signing."

    I haven't had time to get to the bottom of this snag yet but enabling SMB signing is a very quick, easy and low risk change. You probably have it enabled already if you're big enough to need an Exchange system cluttering up the place. Fire up gpmc.msc!

    https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ - Mitigations. Several low cost options there that are a good idea anyway.

    1. bombastic bob Silver badge
      Linux

      Re: Possible quick fix

      How about a PERMANENT fix?

      a) install Linux

      b) use Cyrus for IMAP, sendmail or Exim for SMTP, and Samba for shares.

      c) be gone, Microshaft's so-called "solution"

      1. phuzz Silver badge

        Re: Possible quick fix

        Did you realise that Exchange isn't just 'an email server'? At least recommend something like Zimbra to cover calenders and a web ui, then you might as well use Samba v4 (I assume we're ignoring the fact it's based on Microsoft code) to give you proper single sign on, and there's not really any equivalent to Group Policy, but I suppose we could use something like Puppet to provide consistency across users desktops.

        So, once you've hooked up all those different Open Source programs and got them all working (probably not as turn-key as setting up a Windows domain), what's the betting that you've inadvertently left a similarly glaring security hole?

        1. Jeremy Allison

          Re: Possible quick fix

          > "you might as well use Samba v4 (I assume we're ignoring the fact it's based on Microsoft code)"

          A correction. Samba is not, and has never been, based on Microsoft code. (Well, now we have a Microsoft engineer on the Samba Team I suppose his changes could now be accurately described as such, but he writes new code, not cut-n-paste from the Microsoft git repositories :-).

          Jeremy Allison,

          Samba Team.

        2. razorfishsl

          Re: Possible quick fix

          Zimbra is a bloat filled hackers paradise.......

      2. Captain Scarlet Silver badge
        Coat

        Re: Possible quick fix

        a) Install IBM Domino and....

        Ok ok I am leaving, put down the pitchfork, I bet you are a pre version 5 Lotus Notes user

        1. theblackhand

          Re: Possible quick fix

          Captain Scarlet...no pitchfork, but I would like to escort you to the Hague for your trial...

        2. OopsSorryMyBad...
          Devil

          Re: Possible quick fix

          Could always use cc:Mail. Then they'll bring torches along with those pitchforks.

          1. J. Cook Silver badge
            Coat

            Re: Possible quick fix

            Or.... (dare I say it? DARE! DARE!)

            Groupwise.

            *sprints to the armored bunker*

        3. Outski
          Pint

          Re: Possible quick fix

          v10.0.1 on the laptop, yay :o)

          v8.5.3 on the Citrix env, boo :o(

          It's Friday, I'm still at work, but it's quarterly company booze day :o) ---->>>

        4. T. F. M. Reader Silver badge

          Re: Possible quick fix

          @Captain Scarlet: Install IBM Domino...

          Well, I was subjected to both Domino and Exchange at various stages of my career. I must admit I found myself longing for the other one every time...

        5. kain preacher Silver badge

          Re: Possible quick fix

          I've been told that Dominions is an excellent program to use and admin once you understand the philosophy of it

      3. Aodhhan Bronze badge

        Re: Possible quick fix

        Bob...

        New to information security and/or application development are you?

        You're too fixated on an issue without looking at the entire requirement(s) a product is meant to provide.

        You're 'solution' doesn't even come close to providing a work around for Exchange.

        Also, thinking Linux is so much more secure than Windows is short sided and short minded.

        Especially when both require humans to build and configure them--not to mention the applications running on top of the OS.

        1. Michael Wojcik Silver badge

          Re: Possible quick fix

          Bob...

          New to information security and/or application development are you?

          Er ... are you new to Bob? His self-appointed role here is to post flamebait.

      4. Anonymous Coward
        Anonymous Coward

        Re: Possible quick fix

        shirley you mean freebsd?

        1. herman Silver badge

          Re: Possible quick fix

          OpenBSD would be better and don't call me Shirley. Now get off my lawn also.

      5. Nate Amsden Silver badge

        Re: Possible quick fix

        I've used cyrus for the past 19 years now.. for email it works great(though the migration from v1 to v2 was quite painful - though I haven't run email for a corporate type environment since 2002 and at the time it was Cyrus). Since then the only email hosting I have done is just my personal and family stuff.

        I don't have opinions strong enough to try to talk someone else into what email solution to use, but I wanted to (sadly) mention this that I noticed last year:

        https://www.cmu.edu/computing/services/comm-collab/email-calendar/cyrus/decommission.html

        made me kinda feel sick inside (the main reason of course being they built Cyrus, am not sure how much involvement they have in it today).

        I have been a user of office 365 for the past 6 years or so(I don't work in corporate IT so have never managed exchange). I don't have major complaints. I'm certainly not the office power user who leverages their stuff more so can understand those who need that groupware functionality. I could get by with just IMAP without an issue though I know many others need much more than that. Office 2010 on windows 7 and OWA on Linux and email on android all seem to work ok.

      6. Kiwi Silver badge
        Trollface

        Re: Possible quick fix

        Now come on Bob, if we all install Linux we won't have the joy of waiting for nearly a month to get the official fix in!

    2. From the States

      Re: Possible quick fix

      SMB signing is not a free transaction. It does require CPU cycles and for systems that are already constrained, it's a non-starter.

      1. Danny 14 Silver badge

        Re: Possible quick fix

        if your exchange serve is THAT constrained them you should be looking at respeccing.

    3. Danny 14 Silver badge

      Re: Possible quick fix

      looking in the registry, all my 2012r2 servers had this enabled by default. even my member office 365 proxy server. I dont have a GPO enabled so I suspect SMB signing is default for some OS.

  2. aregross
    Meh

    I'm glad I'm not an Admin anymore, keeping up with all this sh1t would be a full-time job!

    Oh wait...!

    1. JimboSmith Silver badge
      Pint

      You almost owed me a new keyboard. Have a pint.

  3. W.S.Gosset Bronze badge

    Dirk-jan

    Make your mind up

  4. redpawn Silver badge

    Equality for all

    Microsoft just keeps giving and giving. No wonder they are so popular.

  5. disco_stu

    From this reddit thread it's assumed it wlll work on Exchange 2010, just that it hasn't been tested.

    https://www.reddit.com/r/netsec/comments/aikhj7/abusing_exchange_one_api_call_away_from_domain/

    1. Keith Langmead

      Reddit thread updated a few hours after you posted with :

      "Update: I've tested it on Exchange 2010 SP3 and it seems not affected. The blog was updated to reflect this."

      1. Steve Cooper

        For once I'm glad we still use Exchange 2010 SP3 :)

  6. Version 1.0 Silver badge

    Don't worry

    This is serious, I'm confident that a fix for this will be released very quickly ... and everyone (including Equifax) will get it installed by 2020.

  7. Anonymous Coward
    Anonymous Coward

    A lack of Media Handlers

    ... sounds like a security issue in of itself. Just install a new codec. Oh wait.

  8. Cubical Drone

    Not sure MS understands the meaning of 'proactively'.

    “Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively eventually updating impacted devices as soon as possible,"

    FIFY

  9. Anonymous Coward
    Anonymous Coward

    Posting anon since I'm at work - did he coordinate with Microsoft at all?

  10. Anonymous Coward
    Anonymous Coward

    I agree with all comments below

  11. Pascal Monett Silver badge

    “Microsoft has a strong commitment.."

    .. to getting all the revenue it can.

    Security ? Protecting private information ? The user experience ?

    That comes after shareholder revenue.

    Way after.

  12. Hans 1 Silver badge
    Windows

    Office 365 should not be used in corporate environment

    Not GDPR compliant ... anyway ... "The World Won't Listen"

  13. Anonymous Coward
    Anonymous Coward

    I'm admin. Thats what killed my payrise. Despite being allowed to write my own JD and put terms like develop / script /SQL / servers ....

    The people that look at the JDs to make sure everyones being paid fairly know fuck all about I.T. , so when they saw "administrator" they read "receptionist".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019