Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[Zero-Day] Unpatched Flaws Revealed in Microsoft Exchange

Executive Summary

Several zero-day flaws in Microsoft Exchange have been disclosed by the Trend Micro Zero Day Initiative (ZDI). These vulnerabilities can be exploited remotely to execute arbitrary code or disclose sensitive information. ZDI reported the zero-day vulnerabilities to Microsoft in September 2023.

Despite being reported to Microsoft, the vulnerabilities remain unpatched.

On November 2, 2023, ZDI coordinated the public release of an advisory regarding these vulnerabilities.

Organisations using Exchange should exercise caution and take appropriate measures to protect their systems, as the vulnerabilities are publicly known.

ZDI-23-1578 – Microsoft Exchange ChainedSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability

This vulnerability, initially assigned a CVSS score of 7.5, enables remote attackers to execute arbitrary code on affected Microsoft Exchange installations. The lack of proper validation of user-supplied data within the ChainedSerializationBinder class enables deserialization of untrusted data, leading to code execution in the context of SYSTEM.

Mitigation recommended by ZDI: Limit interaction with the application.

ZDI-23-1579 – Microsoft Exchange DownloadDataFromUri Server-Side Request Forgery Information Disclosure Vulnerability

This vulnerability, initially assigned a CVSS score of 7.1, allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. The lack of proper validation of a URI prior to accessing resources within the DownloadDataFromUri method enables information disclosure.

Mitigation recommended by ZDI: Restrict interaction with the application

ZDI-23-1580 – Microsoft Exchange DownloadDataFromOfficeMarketPlace Server-Side Request Forgery Information Disclosure Vulnerability

This vulnerability, initially assigned a CVSS score of 7.1, allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. The lack of proper validation of a URI prior to accessing resources within the DownloadDataFromOfficeMarketPlace method enables information disclosure.

Mitigation recommended by ZDI: Restrict interaction with the application

ZDI-23-1581 – Microsoft Exchange CreateAttachmentFromUri Server-Side Request Forgery Information Disclosure Vulnerability

This vulnerability, initially assigned a CVSS score of 7.1, allows remote attackers to disclose sensitive information on affected installations of Exchange.

The lack of proper validation of a URI prior to accessing resources within the CreateAttachmentFromUri method enables information disclosure in the context of the Exchange server.

Mitigation recommended by ZDI: Restrict interaction with the application

Takeaways

These zero-day vulnerabilities pose a high-severity risk allowing for remote code execution and information disclosure. With the vulnerability information disclosed and no patch available, threat actors may take advantage of this window of opportunity. Organisations using Exchange should apply mitigations and closely monitor their environments for any abnormal activity. To explore more news about Microsoft, read here.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.