Executive Summary
Several zero-day flaws in Microsoft Exchange have been disclosed by the Trend Micro Zero Day Initiative (ZDI). These vulnerabilities can be exploited remotely to execute arbitrary code or disclose sensitive information. ZDI reported the zero-day vulnerabilities to Microsoft in September 2023.
Despite being reported to Microsoft, the vulnerabilities remain unpatched.
On November 2, 2023, ZDI coordinated the public release of an advisory regarding these vulnerabilities.
Organisations using Exchange should exercise caution and take appropriate measures to protect their systems, as the vulnerabilities are publicly known.
ZDI-23-1578 – Microsoft Exchange ChainedSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability, initially assigned a CVSS score of 7.5, enables remote attackers to execute arbitrary code on affected Microsoft Exchange installations. The lack of proper validation of user-supplied data within the ChainedSerializationBinder class enables deserialization of untrusted data, leading to code execution in the context of SYSTEM.
Mitigation recommended by ZDI: Limit interaction with the application.
ZDI-23-1579 – Microsoft Exchange DownloadDataFromUri Server-Side Request Forgery Information Disclosure Vulnerability
This vulnerability, initially assigned a CVSS score of 7.1, allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. The lack of proper validation of a URI prior to accessing resources within the DownloadDataFromUri method enables information disclosure.
Mitigation recommended by ZDI: Restrict interaction with the application
ZDI-23-1580 – Microsoft Exchange DownloadDataFromOfficeMarketPlace Server-Side Request Forgery Information Disclosure Vulnerability
This vulnerability, initially assigned a CVSS score of 7.1, allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. The lack of proper validation of a URI prior to accessing resources within the DownloadDataFromOfficeMarketPlace method enables information disclosure.
Mitigation recommended by ZDI: Restrict interaction with the application
ZDI-23-1581 – Microsoft Exchange CreateAttachmentFromUri Server-Side Request Forgery Information Disclosure Vulnerability
This vulnerability, initially assigned a CVSS score of 7.1, allows remote attackers to disclose sensitive information on affected installations of Exchange.
The lack of proper validation of a URI prior to accessing resources within the CreateAttachmentFromUri method enables information disclosure in the context of the Exchange server.
Mitigation recommended by ZDI: Restrict interaction with the application
Takeaways
These zero-day vulnerabilities pose a high-severity risk allowing for remote code execution and information disclosure. With the vulnerability information disclosed and no patch available, threat actors may take advantage of this window of opportunity. Organisations using Exchange should apply mitigations and closely monitor their environments for any abnormal activity. To explore more news about Microsoft, read here.
- [CVSS 10] Critical Confluence Vulnerability Requires Immediate Action
- [CVSS 10] Surging Exploit Attempts Target Critical Confluence Vulnerability
- [Zero-Day] Update Now: 3 Exploited Apple Flaws
- Coreper Endorses EU AI Act
- Germany Seizes Major Underground Marketplace
- Continued MOVEit Data Breach: 3+ Million Individuals Affected