A new vulnerability that affects Exchange on-premise servers has been discovered recently (https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/). By making use of the high privileges Exchange servers have by default, the attacker would be able to escalate from any user with a mailbox to Domain Admin access.

According to Dirk-jan Mollema (see upper link), the vulnerability has been tested against …

  • Exchange 2013 (CU21) on Server 2012R2, relayed to a Server 2016 DC
  • Exchange 2016 (CU11) on Server 2016, relayed to a Server 2019 DC
  • Exchange 2019 on Server 2019, relayed to a Server 2019 DC
  • Exchange 2010 SP3 seems to be NOT affected

…and some mitigations applyable to this attack:

  • Remove the unnecessary high privileges that Exchange has on the Domain object (see below for some links on this).
  • Enable LDAP signing and enable LDAP channel binding to prevent relaying to LDAP and LDAPS respectively
  • Block Exchange servers from making connections to workstations on arbitrary ports.
  • Enable Extended Protection for Authentication on the Exchange endpoints in IIS (but not the Exchange Back End ones, this will break Exchange). This will verify the channel binding parameters in the NTLM authentication, which ties NTLM authentication to a TLS connection and prevent relaying to Exchange web services.
  • Remove the registry key which makes relaying back to the Exchange server possible, as discussed in Microsofts mitigation for CVE-2018-8518.
  • Enforce SMB signing on Exchange servers (and preferable all other servers and workstations in the domain) to prevent cross-protocol relay attacks to SMB.
  • If EWS push/pull subscriptions aren’t used, they can be disabled by setting the EWSMaxSubscriptions to 0 with a throttling policy

Update: Microsoft has released a cumulative update for all supported versions of Exchange Server. Visit the related post: Exchange – Update to fix escalation privilege vulnerability