Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,563
- Points
- 113
ZDI experts have uncovered critical vulnerabilities that require immediate action.
Microsoft Exchange has discovered four zero-day vulnerabilities that allow attackers to remotely execute arbitrary code and steal confidential data. Information about the problems was disclosed by the Trend Micro's Zero Day Initiative (ZDI) research group, which reported them to Microsoft on September 7 and 8, 2023.
Despite confirming receipt of the reports, Microsoft engineers did not consider the vulnerabilities so serious as to require immediate elimination, postponing the release of fixes to a later date. ZDI, which disagreed with this decision, published information about vulnerabilities under its IDs to warn Exchange administrators about security risks.
Among the vulnerabilities:
To exploit all these vulnerabilities, authentication is required, which reduces their criticality according to the CVSS rating to 7.1-7.5.However, the need for authentication is a mitigating factor and, perhaps, this is why Microsoft did not prioritize fixing these bugs.
However, it should be noted that there are many ways for cybercriminals to obtain Exchange credentials, including using weak passwords, phishing attacks, and buying or retrieving them from malware logs.
ZDI emphasizes that the only effective mitigation strategy is to limit interaction with Exchange applications, although this may not be acceptable for many companies and organizations that use this product.
We also recommend implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances, even if their credentials are compromised.
Microsoft Exchange has discovered four zero-day vulnerabilities that allow attackers to remotely execute arbitrary code and steal confidential data. Information about the problems was disclosed by the Trend Micro's Zero Day Initiative (ZDI) research group, which reported them to Microsoft on September 7 and 8, 2023.
Despite confirming receipt of the reports, Microsoft engineers did not consider the vulnerabilities so serious as to require immediate elimination, postponing the release of fixes to a later date. ZDI, which disagreed with this decision, published information about vulnerabilities under its IDs to warn Exchange administrators about security risks.
Among the vulnerabilities:
- ZDI-23-1578: Remote code execution vulnerability in the 'ChainedSerializationBinder' class, where user data is not properly validated, which allows attackers to deserialize untrusted data. Successful use of this vulnerability allows an attacker to execute arbitrary code on behalf of 'SYSTEM' — with the highest privileges in Windows.
- ZDI-23-1579: A vulnerability related to the 'DownloadDataFromUri' method occurs due to insufficient URI verification before accessing a resource, which can lead to unauthorized access to confidential Exchange server information.
- ZDI-23-1580 and ZDI-23-1581 : Both involve incorrect URI validation, which can also leak sensitive information.
To exploit all these vulnerabilities, authentication is required, which reduces their criticality according to the CVSS rating to 7.1-7.5.However, the need for authentication is a mitigating factor and, perhaps, this is why Microsoft did not prioritize fixing these bugs.
However, it should be noted that there are many ways for cybercriminals to obtain Exchange credentials, including using weak passwords, phishing attacks, and buying or retrieving them from malware logs.
ZDI emphasizes that the only effective mitigation strategy is to limit interaction with Exchange applications, although this may not be acceptable for many companies and organizations that use this product.
We also recommend implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances, even if their credentials are compromised.
