Viewing entries tagged
security

Google, Now Windows 7 – Two Zero Day Exploits in One Week

Google, Now Windows 7 – Two Zero Day Exploits in One Week

Following the discovery of vulnerabilities in Google Chrome, Security Lead and Engineering Director, Justin Schuh, urged Chrome users to update to the newest version “like right this minute.” This update prevents hackers from taking advantage ofserious vulnerabilities that allow them to execute malicious code. While Google has not released the information detailing the bugs and links, historically speaking, most zero day exploits have resulted in exposing sensitive data and financial losses. 

In the same week, Google’s Security Blog released a blog post pointing out Windows 7’s vulnerabilities that “can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes.”*

What can you do to protect yourself?

Take immediate action and update Chrome on all your systems – MAC, Linux, Windows if it is not automatically updated.  If you are still using Windows 7, update to a newer version immediately. 

Our Managed Security Assurance clients appreciate our approach to managing all laptops, workstations and servers.  Our monitoring & management platforms apply patches as soon as systems connect to the internet.

Be mindful it only takes one to infect the entire company.

*Source: Google Security Blog

 

 

​​Major Exchange Server Security Vulnerability Discovered  ​

​​Major Exchange Server Security Vulnerability Discovered ​

Situation

Security Researcher Dirk-jan Mollema has recently blogged about a newly available vulnerability in Exchange and how that can be exploited to allow an attacker to obtain escalated privileges.  Microsoft Exchange supports an API called Exchange Web Services (EWS). One of the EWS API functions is called PushSubscription, which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscription feature will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.

Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.

Impact

  • Exchange 2013

  • Exchange 2016

  • Exchange 2019

  • There is no word on if Exchange Online is impacted.

An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user's password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.

Response

Microsoft is currently working a solution for the exploit but it is not released yet, and still does not have an ETA.  Additionally, they are not recommending following many of the solutions suggested in the original article by Mollema.  He was recommending actions such as removing Exchange permissions to the domain objects in AD. 

The current recommendation is to implement the Registry Modification explained in CVE-2018-8581 and to consider securing or disabling the EWS Push/Pull Subscriptions to Exchange until the hotfix is released.

Contact us now if you need help: 408-383-2000

More Information:

Original Article by the person that published the flaw - https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

Article by Practical 365 with Microsoft’s stance - https://practical365.com/exchange-server/serious-exchange-server-vulnerability-reported/

Microsoft Security Response Center CVE-2018-8581 - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

CERT Vulnerability 465632 - https://kb.cert.org/vuls/id/465632/