'High-Severity' Microsoft Exchange Vulnerability Disclosed on Heels of Black Hat Talk
A critical vulnerability in hybrid Microsoft Exchange environments has been disclosed, posing a significant risk to federal systems and organizations worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing agencies to take immediate action to remediate the flaw, which could allow hackers to hijack on-premises versions of Active Directory.
The vulnerability was discovered by Outsider Security researcher Dirk-jan Mollema during a presentation at the Black Hat cybersecurity conference. In his demo, Mollema demonstrated how he was able to modify user passwords, convert cloud users to hybrid users, and impersonate hybrid users using the exploit. This could grant hackers up to 24 hours of unchecked access to executive permissions, allowing them to escalate network access privileges or establish persistent access between on-premises Exchange and Microsoft 365.
"These tokens, they're basically valid for 24 hours," Mollema said during his presentation. "You cannot revoke them. So if somebody has this token, there's absolutely nothing you can do from a defensive point of view." The special access tokens used when Exchange servers talk to Microsoft 365 can't be canceled once stolen, giving attackers up to 24 hours of unchecked access.
Microsoft has issued a "high-severity vulnerability" alert on Wednesday evening about the flaw affecting on-premises versions of Microsoft Exchange. The company plans to speed up its customers' adoption of the most up-to-date version of Microsoft Exchange hybrid environments, which describe setups where an organization uses both cloud and local infrastructure to support their networks.
Microsoft will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal to make customer environments more secure. The rollouts will take place over the coming months. In a related explainer, Microsoft said it initially issued security changes to Exchange Server hybrid deployment in April, but found that these new configuration steps actually fixed a real security flaw.
"There is no observed exploitation" of the vulnerability as of the time of the alert issued by Microsoft. However, the agency urges all organizations to adopt the actions outlined in the emergency directive to mitigate the risks associated with this Microsoft Exchange vulnerability.
Implications for Federal Agencies
Parts of the federal enterprise are susceptible to the vulnerability, and CISA plans to issue an emergency patching directive to the federal enterprise on Thursday, according to a person familiar with the matter. The agency is taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend.
"As America's cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend," said CISA acting Director Madhu Gottumukkala. "The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment."
Previous Vulnerability in Microsoft SharePoint
A separate on-premises Microsoft SharePoint vulnerability was disclosed last month, including the Department of Homeland Security, which was first reported by Nextgov/FCW. That vulnerability was exploited worldwide by several China-linked hacking groups.
The federal government, as well as thousands of state and local governments, rely heavily on Microsoft products. For the federal enterprise, Microsoft is predominantly used across civilian and defense agencies for routine tasks like file sharing, internal messaging, records management, and remote collaboration.