Microsoft Exchange 2013 and newer versions are vulnerable to a privilege escalation attack that gives anyone with a mailbox a way to gain domain administrator rights at potentially 90% of organisations running Active Directory and Exchange, according to a security researcher. The attack is possible because of the extensive privileges available by default in Exchange and therefore cannot be patched against.
Microsoft Exchange (2013 and more recent) vulnerable to 'PrivExchange' zero-day: https://t.co/gmIFAnK8gV (by ZDNet's @campuscodi)
— Mary Jo Foley (@maryjofoley) January 29, 2019
Patrick Hunter, Sales Engineering Director at One Identity:
“Nearly every business runs and uses Active Directory as a major part of its IT strategy. As it is trusted, it is typically made the primary source of authentication and authorisation for business desktops. Default permissions should never be relied upon and vulnerabilities caused by misconfiguration are nothing new. Without strong skills and knowledge of best practices, they will continue to be an issue at every organisation. Once passwords and accounts have been compromised, no amount of controls is going to mitigate the impact on an effected organisation. One mistake can undo a whole security strategy. Active Directory is used to hold accounts Exchange and many other applications, so if you’re able to get domain level admin right, you could extend this to gaining rights to other critical applications.
Never reply on default permissions. Remain sceptical and always test implementations with the minimum set of rights in your test/dev environment. Would you install a security firewall or camera and leave the default password? These accounts should be treated the same way. Always implement a strong authentication programme using some form of multifactor authentication to verify a person is who they say they are. Of course, you can never be sure you have covered all bases, so some form of analytics is going to go a long way to trap unwanted actions from intruders. You should also check to see if the operations being executed are in keeping with the day-to-day work and alert those that aren’t.”