https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-zero-days-allow-rce-data-theft-attacks/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + Mortgage giant Mr. Cooper hit by cyberattack impacting IT systems Mortgage giant Mr. Cooper hit by cyberattack impacting IT systems + HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks + New macOS 'KandyKorn' malware targets cryptocurrency engineers New macOS 'KandyKorn' malware targets cryptocurrency engineers + Ace Hardware says 1,202 devices were hit during cyberattack Ace Hardware says 1,202 devices were hit during cyberattack + Discord will switch to temporary file links to block malware delivery Discord will switch to temporary file links to block malware delivery + Apple 'Find My' network can be abused to steal keylogged passwords Apple 'Find My' network can be abused to steal keylogged passwords + This Babbel subscription is only $139.97 (reg. $599) through November 9th This Babbel subscription is only $139.97 (reg. $599) through November 9th + The Week in Ransomware - November 3rd 2023 - Hive's Back The Week in Ransomware - November 3rd 2023 - Hive's Back * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Tutorials + Latest + Popular + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to open a Windows 11 Command Prompt as Administrator How to open a Windows 11 Command Prompt as Administrator + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Microsoft * New Microsoft Exchange zero-days allow RCE, data theft attacks * * New Microsoft Exchange zero-days allow RCE, data theft attacks By Bill Toulas * November 3, 2023 * 11:14 AM * 0 Microsoft Exchange surrounded by fire Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations. The zero-day vulnerabilities were disclosed by Trend Micro's Zero Day Initiative (ZDI) yesterday, who reported them to Microsoft on September 7th and 8th, 2023. Despite Microsoft acknowledging the reports, its security engineers decided the flaws weren't severe enough to guarantee immediate servicing, postponing the fixes for later. ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks. A summary of the flaws can be found below: * ZDI-23-1578 - A remote code execution (RCE) flaw in the 'ChainedSerializationBinder' class, where user data isn't adequately validated, allowing attackers to deserialize untrusted data. Successful exploitation enables an attacker to execute arbitrary code as 'SYSTEM,' the highest level of privileges on Windows. * ZDI-23-1579 - Located in the 'DownloadDataFromUri' method, this flaw is due to insufficient validation of a URI before resource access. Attackers can exploit it to access sensitive information from Exchange servers. * ZDI-23-1580 - This vulnerability, in the 'DownloadDataFromOfficeMarketPlace' method, also stems from improper URI validation, potentially leading to unauthorized information disclosure. * ZDI-23-1581 - Present in the CreateAttachmentFromUri method, this flaw resembles the previous bugs with inadequate URI validation, again, risking sensitive data exposure. All these vulnerabilities require authentication for exploitation, which reduces their severity CVSS rating to between 7.1 and 7.5. Furthermore, requiring authentication is a mitigation factor and possibly why Microsoft did not prioritize the fixing of the bugs. It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs. That said, the above zero-days shouldn't be treated as unimportant, especially ZDI-23-1578 (RCE), which can result in complete system compromise. ZDI suggests that the only salient mitigation strategy is to restrict interaction with Exchange apps. However, this can be unacceptably disruptive for many businesses and organizations using the product. We also suggest implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even when account credentials have been compromised. --------------------------------------------------------------------- Update 11/4 - A Microsoft spokesperson responded to BleepingComputer's request for a comment with the following statement: We appreciate the work of this finder submitting these issues under coordinated vulnerability disclosure, and we're committed to taking the necessary steps to help protect customers. We've reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate. - a Microsoft spokesperson Further Microsoft provided the below additional context on each of the discovered flaws: * Regarding ZDI-23-1578: Customers who have applied the August Security Updates are already protected. * Regarding ZDI-23-1581: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege. * Regarding ZDI-23-1579: The technique described requires an attacker to have prior access to email credentials. * Regarding ZDI-23-1580: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information. Related Articles: Millions of Exim mail servers exposed to zero-day RCE attacks 3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks F5 fixes BIG-IP auth bypass allowing remote code execution attacks Critical RCE flaws found in SolarWinds access audit solution * Exchange * Information Disclosure * Microsoft * RCE * Remote Code Execution * Vulnerability * Zero Day Initiative * Zero-Day * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article * Next Article Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Popular Stories * MrCooper Mortgage giant Mr. Cooper hit by cyberattack impacting IT systems * Okta Okta hit by third-party data breach exposing employee information Follow us: * * * * * Main Sections * News * VPN Buyer Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2023 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT