Wave Systems Corp. (fka WAVXQ)

[Genz2]

US-CERT Highlights Exchange Server Flaw Enabling Escalation-of-Privilege Attacks

https://redmondmag.com/articles/2019/01/30/exchange-server-escalation-of-privilege.aspx

The U.S. Computer Emergency Readiness Team this week noted that Exchange Server versions from Exchange Server 2013 on up have a vulnerability that could permit the impersonation of any user, leading to "control of an affected system."

This Exchange Server flaw was actually noted by Microsoft back in November in an advisory. It was assigned the common vulnerabilities and exposures number of CVE-2018-8581.

The CERT Coordination Center described it as a "NTLM relay attack" vulnerability, which affects Exchange Server 2013 and newer Exchange Server versions, in a vulnerability note. The vulnerability is present because Exchange Server fails to set "signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange Server."

An attack can occur if the attacker has "credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller," US-CERT noted. It can also happen without the attacker having an Exchange user's password, according to researchers. US-CERT recommended disabling Exchange Web Services push/pull subscriptions and removing Exchange privileges on the domain object, but noted that those measures aren't supported by Microsoft.

Microsoft had described the vulnerability as an elevation-of-privilege issue for Exchange Server, and suggested that a so-called "man-in-the-middle" type of approach would be needed to exploit it. Microsoft's advisory gave it an Exploitability Assessment ranking of "2," for "less likely" to be exploited, as well as an "Important" severity ranking. Right now, there's no software patch for the vulnerability, nor is there a workaround. Instead, Microsoft's advisory suggested altering the Registry to delete a DisableLoopbackCheck value as a stop-gap approach.

However, a Jan. 29 post by the SANS Institute's Internet Storm Center suggested that Microsoft's recommendation won't address the vulnerability:


Note that the deletion of registry key as specified in Microsoft's advisory for CVE-2018-8581 does not fix this vulnerability! It prevents a malicious user from impersonating another user on the Exchange server, but not on a Domain Controller, through LDAP. Additionally, I have installed patches on an Exchange 2016 servers, and the registry key was not removed (even though Microsoft's advisory says that they will remove it).

The SANS Institute post indicated that "Exchange 2013, 2019 and 2019 have been confirmed as vulnerable." The vulnerability isn't present on Exchange Server 2010 because it has a signing capability that's lacking in the later products. The vulnerability status of Exchange Server 2007 is "unknown at this time."

Trend Micro's Zero Day Initiative team apparently first described how the Exchange Server vulnerability works back in December. The vulnerability allows anyone to impersonate anyone else on an Exchange Server-based network. It could be used in spear-phishing campaigns.

"While this bug certainly could be used for some interoffice hijinks, it's much more likely that this vulnerability would be used in a spear phishing campaign, data exfiltration, or other malware operation," the ZDI team wrote.

Security researcher Dirk-jan Mollema provided his description of the vulnerability in this blog post. He suggested that Exchange Servers have privileges within an organization's Active Directory that are too high. The vulnerability could be used to escalate privileges to the "Domain Admin" level via "golden tickets," based on the ZDI team's analysis. It's especially possible to carry out the exploit when the attacker uses "NTLM over HTTP," he added.

"This [vulnerability] can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I've seen that use Exchange," Mollema wrote.

Mollema also suggested that compromised credentials aren't needed to perform the attack: "If an attacker is only in a position to perform a network attack, but doesn't have any credentials, it is still possible to trigger Exchange to authenticate."

Mollema offered a bulleted list of suggestions on how to address the Exchange Server vulnerability. It includes removing the "unnecessary high privileges that Exchange has on the Domain object" and enabling LDAP signing. Organizations can also "block Exchange servers from making connections to workstations on arbitrary ports," among other tips. He also recommended carrying out Microsoft's recommendation.

The Center for Internet Security also weighed in on the Exchange Server vulnerability in a Jan. 29 advisory. The nonprofit group assigned it a risk of "High" for large entities and "Medium" for small ones, in contrast to Microsoft's weightings.

Microsoft's advisory does suggest that it will deliver a future cumulative update to Exchange Server that will delete a problematic registry value with regard to NTLM, although the timing wasn't mentioned.

"To address this vulnerability, a registry value which enables NTLM authentication on the network loopback adapter needs to be removed," the advisory stated. "Future cumulative updates will ensure that this registry setting is configured correctly during installation of the cumulative update."
=================================================================
Spear-phishing and malware (see underlines in article) are two items that Wave can combat against very effectively for organizations by using the Wave VSC 2.0 and Wave Endpoint Monitor solutions. Having both of those solutions under one company should make Wave a formidable player in cybersecurity and even stronger with its other solutions.
=================================================================
Microsoft Exchange Vuln Enables Attackers to Gain Domain Admin Privileges

https://www.darkreading.com/microsoft-exchange-vuln-enables-attackers-to-gain-domain-admin-privileges/d/d-id/1333758?_mc=KJH-Twitter-2019-01

Excerpts:

The attack is possible because of the extensive privileges available by default in Exchange and therefore cannot be patched against, security researcher Dirk-jan Mollema of Netherlands-based Fox-IT wrote in a blog post describing the new exploit. Mollema also released a proof-of-concept tool dubbed "PrivExchange" demonstrating how the attack works.

An attacker with a foothold on a Windows network can use the publicly availability exploit to gain domain administration rights, he warns. "The domain controller is the key to the whole kingdom," Dormann says. "Somebody that gains access to the domain controller owns the entire network."
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor

https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management


Key Features:

Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies

Low TCO
• Reduce operating expenses by eliminating password reset and shortening deployment times
• Minimize capital expenses by using hardware you already have
• Integrate with Microsoft Active Directory for IT familiarity

Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance

Flexibility
• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console
• Create custom management policies to suit your organization’s needs
• User and device authentication from a common console

Seamless Device Authentication
• Access control over wireless (i.e. 802.1x)
• Single sign-on
• VPN authentication (i.e. Microsoft DirectAccess)


<p><em>Microsoft, Windows, and BitLocker are either registered trademarks or trademark of the Microsoft group of companies.</em></p>

https://www.wavesys.com/products/wave-virtual-smart-card

The VSC 2.0 also protects against stolen credentials!

https://www.wavesys.com/