Date: 30 January 2019
An ALERT is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. (The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this ALERT to recipients as requested.)
The goal of this Alert is to bring heightened attention to a Microsoft Exchange Privilege Escalation vulnerability disclosed on 21 January 2019, affecting Exchange 2013 through 2016 versions. There is currently no patch available.
Using stolen credentials, a malicious actor who has the ability to communicate with both a Microsoft Exchange server and a Windows Domain Controller on the same domain may be able to gain domain administrator privileges. It is also reported that a malicious actor may be able to exploit the same vulnerability by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server, even if they only have a valid login credential without a password.
This vulnerability is a combination of three (default) settings and mechanisms that a malicious actor can abuse to escalate privileges from any email account to a domain administrator.
The three issues are as follows:
- Exchange servers have high privileges by default in a domain.
- NTLM authentication can be relayed.
- Exchange servers can be asked to authenticate to an arbitrary IP using the EWS (Exchange Web Services) PushSubscription feature.
- Consider disabling EWS push/pull subscriptions if they are not required.
- Enable LDAP signing and LDAP channel binding to prevent relaying to LDAP and LDAPS respectively.
- Use an internal firewall to prevent Exchange from connecting to workstations - typically workstations should connect to Exchange, not the opposite. This makes exploitation more difficult to accomplish.
- Enable Extended Protection for Authentication on the Exchange endpoints in IIS. This will verify the channel binding parameters in the NTLM authentication, which ties NTLM authentication to a TLS connection and prevent relaying to Exchange web services.
- Remove the registry key which makes relaying back to the Exchange server possible, as discussed in Microsoft mitigation for CVE-2018-8518.
- Enforce SMB signing on Exchange servers (and preferable all other servers and workstations in the domain) to prevent cross-protocol relay attacks to SMB.
- Remove unnecessary high privileges that Exchange may have on Domain object (this is not supported by Microsoft and may break some instances).
- Monitor the Domain Controllers logs for event 5136 and search for the following GUID:
- 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
- 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
- 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set)
- Monitor the Domain Controllers logs for the following event to detect NTLM relay attacks where Exchange server's credentials were used. The Source Network Address field will show the IP address of the attacker:
- Authentication Package=NTLM
- Account Name = YOUREXCHANGESERVER$
Note to readers
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.