CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attacks

Original
release date: January 28, 2019

The CERT Coordination Center (CERT/CC) has released information to address
NTLM relay attacks affecting Microsoft Exchange 2013 and newer versions. A
remote attacker could exploit this vulnerability to take control of an affected
system.

Overview
      

Microsoft Exchange 2013 and newer fail to set signing and
sealing flags on NTLM authentication traffic, which can allow a remote
attacker to gain the privileges of the Exchange server.

Description

      

Microsoft Exchange supports a API called Exchange Web Services (EWS). One of the EWS API functions is called PushSubscription,
which can be used to cause the Exchange server to connect to an
arbitrary website. Connections made using the PushSubscription feature
will attempt to negotiate with the arbitrary web server using NTLM
authentication. Starting with Microsoft Exchange 2013, the NTLM
authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.
Microsoft
Exchange is by default configured with extensive privileges with
respect to the Domain object in Active Directory. Because the Exchange
Windows Permissions group has WriteDacl access to the Domain object,
this means that the Exchange server privileges obtained using this
vulnerability can be used to gain Domain Admin privileges for the domain
that contains the vulnerable Exchange server.

Impact

An
attacker that has credentials for an Exchange mailbox and also has the
ability to communicate with both a Microsoft Exchange server and a
Windows domain controller may be able to gain domain administrator
privileges. It is also reported that an attacker without knowledge of an
Exchange user’s password may be able to perform the same attack by
using an SMB to HTTP relay attack as long as they are in the same
network segment as the Exchange server.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable EWS push/pull subscriptions

If
you have an exchange server that does not leverage EWS push/pull
subscriptions, you can block the PushSubscription API call that triggers
this attack. In an Exchange Management Shell window, execute the
following commands:

    New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0
    Restart-WebAppPool -Name MSExchangeServicesAppPool

Remove privileges that Exchange has on the domain object

Please
note that the following workaround was not developed by CERT and is not
supported by Microsoft. Please test any workarounds in your environment
to ensure that they work properly.

https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/Fix-DomainObjectDACL.ps1
is a PowerShell script that can be executed on either the Exchange
Server or Domain Controller system. By default this script will check
for vulnerable access control entries in the current active directory.
When executed with Domain Admin privileges and the -Fix flag, this script will remove the ability for Exchange to write to the domain object.

Note
that if you encounter an error about Get-ADDomainController not being
recognized, you will need to install and import the ActiveDirectory
PowerShell module, and then finally run Fix-DomainObjectDACL.ps1 :

    Import-Module ServerManager
    Add-WindowsFeature RSAT-AD-PowerShell
    Import-Module ActiveDirectory
    .Fix-DomainObjectDACL.ps1

If the script reports that faulty ACE were found, run:

    .Fix-DomainObjectDACL.ps1 -Fix

PowerShell may be configured to block the execution of user-provided .ps1 files. If this is the case, first find your current PowerShell execution policy:

    Get-ExecutionPolicy

Temporarily allow the execution of the Fix-DomainObjectDACL.ps1 script by running:

    Set-ExecutionPolicy unrestricted

Once you are finished running the Fix-DomainObjectDACL.ps1script, set the policy back to the original value as reported by Get-ExecutionPolicy:

    Set-ExecutionPolicy [POLICY]
    The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review CERT/CC’s Vulnerability Note VU#465632 and consider the listed workarounds until patches are made available.