Microsoft Exchange 2013 and newer versions vulnerable to NTLM relay attacks

Microsoft Exchange 2013 or newer versions are vulnerable to NTLM relay attacks and privileged escalation. Administrators should review and apply the necessary workarounds until a permanent patch is made available.

According to the National Cybersecurity and Communications Integration Center (NCCIC), Exchange 2013 and newer fail to set signing and sealing flags on NTLM authentication traffic. Attackers could then exploit the vulnerability CVE-2019-0686 to gain privileges to an Exchange server.

Microsoft Exchange supports an API called Exchange Web Services (EWS), which allows programmers to access Microsoft Exchange items, such as calendars, contacts and email.

One of the EWS API functions, PushSubscriptionRequest, can then be misused to cause an Exchange server to connect to arbitrary websites.

An excerpt of the issue as described in the NCCIS security advisory:

“Connections made using the PushSubscriptionRequest function will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.”

Furthermore, an attacker that can also gain domain administrator privileges if they have access to Exchange mailbox credentials AND can communicate to both an Exchange server and Windows domain controller.

It was also noted that an attacker could also perform the same attacks by just using an SMB to HTTP relay attack, even without knowing an Exchange user’s password. The attacker would also need to be on the same network segment as the Exchange user to pull off.

A few workarounds were provided in the advisory to include:

  • Disable Exchange Web Services (EWS) push/pull subscriptions.
  • Remove privileges that Exchange has on the domain object (note: this workaround was provided on Github, but was not endorsed by Microsoft nor CERT).

The CVSS base score of the vulnerability is rated 8.3 (10 being the highest). Workarounds should be thoroughly tested to ensure they work in your environment.