Four Zero-Day MS Exchange Flaws Identified that Allow RCE and Data Theft
Four zero-day vulnerabilities have been identified in Microsoft Exchange that can lead to the disclosure of sensitive information and even remote code execution. The flaws were discovered by security researchers at Trend Micro’s Zero Day Initiative (ZDI) and were reported to Microsoft on September 7th and September 8th, 2023.
Despite knowing about the flaws for two months, patches have yet to be released to fix the flaws, as Microsoft assessed them and determined they were not sufficiently severe to warrant immediate patching; however, the ZDI researchers disagreed and have now publicly shared information about the flaws to alert Microsoft Exchange administrators. Remote code execution (RCE) flaws are only rated critical if they can be exploited by unauthenticated individuals. All four of these vulnerabilities require an attacker to be authenticated before they can be exploited. As such, they have been assigned high-severity CVSS scores of between 7.1 and 7.5. Before the flaws could be exploited, an attacker would be required to authenticate, which means valid credentials would be required. They could be obtained in a phishing attack, for example, or using brute force tactics to guess weak passwords.
The flaws are currently tracked under ZDI codes, as listed below:
- ZDI-23-1578 – An RCE vulnerability in the ‘ChainedSerializationBinder’ class, where user data isn’t adequately validated. The flaw can be exploited by attackers to deserialize untrusted data and will allow an attacker to execute arbitrary code as SYSTEM, leading to a full system compromise.
- ZDI-23-1579 – A vulnerability in the ‘DownloadDataFromUri’ method, due to insufficient validation of a URI before resource access. Successful exploitation would allow an attacker to access sensitive information from Exchange servers.
- ZDI-23-1580 – A vulnerability in the ‘DownloadDataFromOfficeMarketPlace’ method due to insufficient validation of a URI before resource access which could lead to the disclosure of sensitive information.
- ZDI-23-1581 – A vulnerability in the CreateAttachmentFromUri method, which is also due to insufficient validation of a URI and could also lead to the disclosure of sensitive information.
Unfortunately, the only effective mitigation until Microsoft releases patches to fix the flaws is to restrict interaction with Microsoft Exchange apps, which is far from ideal for most businesses. As an additional precaution against the use of compromised credentials, admins should ensure that multifactor authentication is enabled.
Microsoft has confirmed that the vulnerabilities have either already been addressed or do not meet the criteria for immediate servicing and that if they haven’t already been addressed, they will be addressed in future product versions and updates.