4  Zero-Day Bug in Microsoft Exchange Let Attackers Execute Arbitrary Code

Four new zero-day vulnerabilities have been identified in Microsoft Exchange, which was associated with server-side request forgery and Remote Code Execution. These vulnerabilities haven’t been assigned CVEs and have severities ranging between 7.1 (High) and 7.5 (High).

Microsoft developed Microsoft Exchange, a mail and calendaring server that only utilizes Windows Server operating systems. Microsoft has yet to release patches to fix these vulnerabilities.

ZDI-23-1581: Server-Side Request Forgery Vulnerability

This vulnerability exists within the CreateAttachmentFromUri method, which does not properly validate the URI before accessing the resources. A threat actor can exploit this to retrieve sensitive information on affected Microsoft Exchange servers. 

However, as a prerequisite, the threat actor requires authentication for successfully exploiting this vulnerability. The severity of this vulnerability has been given as 7.1 (High).

ZDI-23-1580: Server-Side Request Forgery Vulnerability

This vulnerability exists within the DownloadDataFromOfficeMarketPlace method, which lacks proper validation of the URI before allowing it to access the resources. A threat actor can leverage this to retrieve sensitive information on affected Microsoft Exchange servers. 

However, as a prerequisite, the threat actor requires authentication for successfully exploiting this vulnerability. The severity of this vulnerability has been given as 7.1 (High).

Document
FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

ZDI-23-1579: Server-Side Request Forgery Vulnerability

This vulnerability exists within the DownloadDataFromUri method which has improper validation of the URI before allowing it to access the resources. A threat actor can leverage this to retrieve sensitive information on affected Microsoft Exchange servers. 

However, as a prerequisite, the threat actor requires authentication for successfully exploit this vulnerability. The severity for this vulnerability has been given as 7.1 (High).

ZDI-23-1578: Deserialization of Untrusted Data leads to Remote Code Execution 

This weakness is in the ChainedSerializationBinder class, which does not check user-supplied input properly, which lets untrusted data be deserialized. A threat actor can exploit this to perform code execution on affected versions of Microsoft Exchange under the context of SYSTEM. 

However, as a prerequisite, the threat actor requires authentication to exploit this vulnerability. The severity of this vulnerability has been given as 7.5 (High).

Responses from Microsoft

Microsoft stated that these vulnerabilities were not severe enough to be patched immediately as they require authentication to exploit them further. However, it should be noted that threat actors can obtain credentials by various means, such as social engineering, phishing, and many others. 

We’ve reviewed these reports and have found that they have either already been addressed or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate,” stated Microsoft.

All of these vulnerabilities were discovered by Piotr Bazydlo (@chudypb) of the Trend Micro Zero Day Initiative.

Moreover, ZDI researchers disclosed these vulnerabilities after priorly informing Microsoft. These vulnerabilities have been discovered by the Zero-Day Initiative’s researchers, which collaborate with Trend Micro. Microsoft has yet to release patches for fixing these vulnerabilities. 

Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.

Also Read:

OWASP Top 10 2021 Released – What’s New!!

Top MITRE CWE 25 Most Dangerous Software Vulnerabilities – 2021

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.