Microsoft is Investigating a Major Exchange Bug

Posted on September 23, 2021 by Paul Thurrott in Cloud, Microsoft 365 with 3 Comments

Researchers have discovered an Exchange Autodiscover flaw that can be used to steal Windows users’ credentials. Microsoft says it is investigating.

“Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to ‘leak’ web requests to Autodiscover domains outside of the user’s domain but in the same TLD [top-level domain],” Guardicore’s Amit Serper writes of his firm’s discovery. “This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, they can capture domain credentials in plain text. Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically siphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs.”

To test the flaw, Guardicore acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server that it controls. It quickly detected a massive leak of Windows domain credentials that reached the server. Over a four-month period between April and August 2021, the domains leaked over 372,000 Windows domain credentials and Microsoft Outlook, mobile email clients. and other applications interfacing with Microsoft’s Exchange server leaked 96,671 unique credentials.

Using this flaw, Guardicore also developed a test attack that downgrades a client’s authentication from being a secure one based on OAuth and NTLM to HTTP Basic Authentication so that credentials are sent in clear text.

If you’re interested in this kind of thing, Guardicore’s explanation of the flaw and how it can be exploited is fascinating and goes into great detail.

Microsoft is looking into the issue, but it chided Guardicore for not alerting it about the flaw before publicizing it.

“We are actively investigating and will take appropriate steps to protect customers,” Microsoft senior director Jeff Jones said. “We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today.”

Tagged with ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (3)

3 responses to “Microsoft is Investigating a Major Exchange Bug”

  1. rmlounsbury

    Wow, the Exchange hits just keep on coming don't they? Is it known if this impacts on premise Exchange or does it also impact Microsoft 365 services as well?

  2. davestork

    I disagree that the post goes into great detail, at least relevant detail. At least with Microsoft clients the so-called "back-off" behavior has not been reproduced by others.


    The researcher has not provided details how "back-off" exactly works, it is just stated as fact referencing the protocol. The AutoDiscover protocol definition by Microsoft has no mechanism for the mechanism described.


    My problem with the article is that this "back-off" mechanism is key to this issue, which the researcher calls a flaw in the protocol. However, IMHO there is not enough information that this is a client implementation problem from third-party solutions or other configuration issues.


    There is also a reference to a Black Hat article from 2017 which is provided as proof that the protocol is flawed but never repaired. However, that article mentions client implementation issues, not design flaws in the protocol. It recommends implementing Microsoft best practices. Weird if it there is a fundamental protocol issue.


    Now, there is something to be said that clients should not provide credentials to any host without proper verification and that the protocol should provide some way to verify. But that also depends on a correct client protocol implementation.


    But, I'm not a security researcher and am open to new information.

    • freezal

      as an exchange guy, I am with you, I do not a see a protocol issue. Maybe a client issue, but if your SCP and DNS are correctly configured even this possible client issue is a non-issue.

Leave a Reply