‘High-severity’ Microsoft Exchange vulnerability disclosed on heels of Black Hat talk

Craig T Fruchtman/Getty Images

Featured eBooks
Future-Ready Workforce
Read Now

Health Tech

Read Now

AI Applications

Read Now
Insights & Reports
The Federal Threat: 98% of npm & PyPI Malware Neutralized With a Source-First Approach
Presented By Chainguard
Download Now
AI for Government Legal Teams: What’s Possible
Presented By Filevine
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

Parts of the federal enterprise are likely susceptible to the flaw that allows hackers to hijack on-premises versions of Active Directory. CISA plans to release an emergency directive on Thursday, according to a person familiar with the matter.

Update: Aug. 7

The Cybersecurity and Infrastructure Security Agency issued an emergency directive Thursday instructing agencies to take immediate action to remediate a vulnerability in hybrid Microsoft Exchange environments.

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action to mitigate this vulnerability that poses a significant, unacceptable risk to the federal systems upon which Americans depend,” said CISA acting Director Madhu Gottumukkala. “The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment. While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive.”

Original

Microsoft and the Cybersecurity and Infrastructure Security Agency issued a “high-severity vulnerability” alert on Wednesday evening about a flaw affecting on-premises versions of Microsoft Exchange that coincided with a talk delivered at the Black Hat cybersecurity conference with the security researcher that discovered and presented it in detail.

The vulnerability allows hackers to deploy a series of techniques that enable compromise of on-premises versions of Active Directory, the Microsoft tool suite that centralizes the management of users, computers and other resources across an organization’s network.

The flaw also exposes Entra ID, Microsoft’s cloud-based identity and access management service that helps identify and authenticate network users, according to a detailed blog issued by the company.

Parts of the federal enterprise are susceptible to the vulnerability, and CISA plans to issue an emergency patching directive to the federal enterprise on Thursday, according to a person familiar with the matter.

Microsoft in its blog says it plans to speed up its customers’ adoption of the most up-to-date version of Microsoft Exchange hybrid environments, a term used to describe setups where an organization uses both cloud and local infrastructure to support their networks. 

The company “will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal” to make customer environments more secure, it said. The rollouts will take place over the coming months.

In a related explainer, Microsoft said it initially issued security changes to Exchange Server hybrid deployment in April. But in doing so, the company found that these new configuration steps actually fixed a real security flaw, though many organizations did not update their systems to employ the fix.

At Black Hat in Las Vegas, Nevada, Outsider Security researcher Dirk-jan Mollema presented a long-form demo exploiting the flaw, where he said he was able to modify user passwords, convert cloud users to hybrid users and impersonate hybrid users.

Through the exploit, hackers could also modify executive permissions, known as service principals, where they could escalate network access privileges or establish persistent access between on-premises Exchange and Microsoft 365 by tampering with the identities and permissions set up on a network.

“These tokens, they’re basically valid for 24 hours. You cannot revoke them. So if somebody has this token, there’s absolutely nothing you can do from a defensive point of view,” Mollema said.

He was referring to special access tokens used when Exchange servers talk to Microsoft 365, which can’t be canceled once stolen — giving attackers up to 24 hours of unchecked access. That access, combined with special top-level permissions, could let hackers steal email data or move deeper into an organization’s cloud environment undetected.

Microsoft said that “there is no observed exploitation” of the vulnerability as of the time of the alert issued.

Multiple federal agencies were impacted in a separate on-premises Microsoft SharePoint vulnerability disclosed last month, including the Department of Homeland Security, which was first reported by Nextgov/FCW. That vulnerability was exploited worldwide by several China-linked hacking groups.

The federal government, as well as thousands of state and local governments, rely heavily on Microsoft products. For the federal enterprise, Microsoft is predominantly used across civilian and defense agencies for routine tasks like file sharing, internal messaging, records management and remote collaboration.

NEXT STORY: Federal CISO urges cyber community to start sharing and scaling their solutions