Last updated on March 26, 2024
Microsoft Exchange Server is a widely used email and calendar platform for businesses and organizations. However, it is also a frequent target of cyberattacks that aim to steal or damage sensitive data. Recently, four new zero-day vulnerabilities were detected by independent researchers from Zero Day Initiative.
While the new zero-day vulnerabilities do not have a CVE assigned to them and require prior access to email credentials, they can still allow attackers to execute arbitrary code or access information on the Exchange Server. All the more important is ensuring that your Exchange Server authentication is robust. For that reason, we recommend using Multi-Factor Authentication (MFA) for Outlook Web App (OWA) and Exchange Control Panel (ECP).
In this article, we will explain what the newly-found Exchange Server zero-day vulnerabilities are, how hackers can exploit them, and what you can do to secure your Exchange Server from them.
What Are the New Microsoft Exchange Zero-Day Vulnerabilities?
The new Microsoft Exchange zero-day vulnerabilities are four security flaws that affect the Exchange Server. They are identified as ZDI-23-1578, ZDI-23-1579, ZDI-23-1580, and ZDI-23-1581. These zero-day vulnerabilities can be exploited by an authenticated attacker to perform remote code execution (RCE) or information disclosure on the Exchange Server. Authentication is required to exploit these vulnerabilities.
Remote code execution (RCE) means that the attacker can run any command or program on the server, while information disclosure means that the attacker can access sensitive data or files on the server. These vulnerabilities can be used to steal emails, contacts, calendars, passwords, or other sensitive information, or to install malware, ransomware, or backdoors on the server.
The details of these vulnerabilities are as follows:
- ZDI-23-1578 – A flaw in the ChainedSerializationBinder class that makes the user data not properly validated, allowing remote code execution (RCE) by letting attackers deserialize malicious data. If exploited, the flaw can let attackers run any code as ‘SYSTEM,’ the highest privilege level on Windows.
- ZDI-23-1579 – A flaw in the DownloadDataFromUri method that does not properly validate the URI before accessing the resource. The flaw can allow attackers to get sensitive information from Exchange servers.
- ZDI-23-1580 – A flaw in the DownloadDataFromOfficeMarketPlace method that results from faulty URI validation. It can lead to unauthorized disclosure of information.
- ZDI-23-1581 – A flaw in the CreateAttachmentFromUri method, where poor URI validation can expose sensitive data and lead to a possible Server Side Request Forgery (SSRF) when inserting an attachment.
How Hackers Can Exploit These Vulnerabilities
To exploit these vulnerabilities, the attacker needs to have valid credentials to access the Exchange Server. This means that the attacker needs to have the username and password of an Exchange user or administrator. Cybercriminals have many ways of compromising user credentials. For example, hackers can compromise credentials through phishing and brute-force attacks.
Once the attacker has the credentials, they can send specially crafted requests to the Exchange Server, using the vulnerabilities to execute code or disclose information. The attacker can also chain the vulnerabilities together, using one to gain access to another and increase the impact of the attack.
For example, the attacker can use ZDI-23-1578 to execute code as SYSTEM on the Exchange Server, and then use ZDI-23-1579, ZDI-23-1580, or ZDI-23-1581 to access information from the Exchange Server or other Exchange Servers on the network. Alternatively, the attacker can use ZDI-23-1579, ZDI-23-1580, or ZDI-23-1581 to access information from the Exchange Server, and then use ZDI-23-1578 to execute code on the Exchange Server.
How Can You Secure Your Exchange Server From These Vulnerabilities?
The first thing you should do to secure your Exchange Server from these zero-day vulnerabilities is to update your Exchange Server software as soon as possible. Microsoft released an August Update to fix ZDI-23-1578. Future updates will potentially fix other vulnerabilities. You can download the updates from the Microsoft Security Response Center or the Microsoft Update service. You should also check your Exchange Server logs and activity for any signs of compromise or suspicious behavior.
However, your security strategy should not only focus on the known vulnerabilities but above all on defending your Exchange Server in the long run against any future cyber threats. And the best way to secure your Exchange Server from these and future Microsoft Exchange vulnerabilities is to use multi-factor authentication (MFA) for your Exchange Server users and administrators. MFA is a security feature that requires more than one piece of evidence to verify the identity of the user. The evidence can be a FIDO security key, a password, a mobile app, or a fingerprint of the user, among many others.
MFA makes it harder for attackers to access the Exchange Server, even if they have the password. This is because cybercriminals need to have the second factor as well.
Protect Your Microsoft Exchange Server With Rublon MFA
One of the best MFA solutions for Exchange Server is Rublon MFA.
Rublon is a cloud-based service that enables sophisticated multi-factor authentication (MFA) for Outlook Web App (OWA) and Exchange Control Panel (ECP) and provides a simple and secure way to authenticate users.
With Rublon you can:
- Provide air-tight MFA security for your OWA and ECP logins.
- Use multiple powerful authentication methods, such as FIDO Security Key, Mobile Push, Mobile Passcode (TOTP), QR Code, and more.
- Enforce security policies for different user groups and applications. The policies can dictate which methods should be available, whether users can allow their devices to be remembered, and more.
By using Rublon MFA, you can considerably reduce the risk of unauthorized access and exploitation of the Microsoft Exchange zero-day vulnerabilities, as well as any other potential future security threats. Rublon MFA can also improve the user experience and productivity, as well as compliance with cybersecurity regulations.
Do not wait a minute longer. Secure your Exchange servers with Rublon MFA by clicking the button below.
Conclusion
The new Microsoft Exchange zero-day vulnerabilities are security flaws that can allow attackers to execute code or access information on your Exchange Server, but they require prior access to email credentials. To secure your Exchange Server from these zero-day vulnerabilities, you should update your Exchange Server software as soon as possible. To add long-term protection for your Exchange Server, we highly recommend using multi-factor authentication (MFA) for both Outlook Web App (OWA) and Exchange Control Panel (ECP) logins. One of the best MFA solutions is Rublon, which can prevent unauthorized access to OWA and ECP and thus prevent the exploitation of current and future vulnerabilities. By using Rublon, you can ensure the security and integrity of your Exchange Server and your data.
