New Microsoft Exchange zero-days allow RCE, data theft attacks

Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations.

The zero-day vulnerabilities were disclosed by Trend Micro's Zero Day Initiative (ZDI) yesterday, who reported them to Microsoft on September 7th and 8th, 2023.

Despite Microsoft acknowledging the reports, its security engineers decided the flaws weren't severe enough to guarantee immediate servicing, postponing the fixes for later.

ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks.

A summary of the flaws can be found below:

• ZDI-23-1578 – A remote code execution (RCE) flaw in the 'ChainedSerializationBinder' class, where user data isn't adequately validated, allowing attackers to deserialize untrusted data. Successful exploitation enables an attacker to execute arbitrary code as 'SYSTEM,' the highest level of privileges on Windows.
• ZDI-23-1579 – Located in the 'DownloadDataFromUri' method, this flaw is due to insufficient validation of a URI before resource access. Attackers can exploit it to access sensitive information from Exchange servers.
• ZDI-23-1580 – This vulnerability, in the 'DownloadDataFromOfficeMarketPlace' method, also stems from improper URI validation, potentially leading to unauthorized information disclosure.
• ZDI-23-1581 – Present in the CreateAttachmentFromUri method, this flaw resembles the previous bugs with inadequate URI validation, again, risking sensitive data exposure.

All these vulnerabilities require authentication for exploitation, which reduces their severity CVSS rating to between 7.1 and 7.5. Furthermore, requiring authentication is a mitigation factor and possibly why Microsoft did not prioritize the fixing of the bugs.

It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs.

That said, the above zero-days shouldn't be treated as unimportant, especially ZDI-23-1578 (RCE), which can result in complete system compromise.

ZDI suggests that the only salient mitigation strategy is to restrict interaction with Exchange apps. However, this can be unacceptably disruptive for many businesses and organizations using the product.

We also suggest implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even when account credentials have been compromised.

---

Update 11/4 - A Microsoft spokesperson responded to BleepingComputer's request for a comment with the following statement:

We appreciate the work of this finder submitting these issues under coordinated vulnerability disclosure, and we’re committed to taking the necessary steps to help protect customers.

We’ve reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate. - a Microsoft spokesperson 

Further Microsoft provided the below additional context on each of the discovered flaws:  

• Regarding ZDI-23-1578: Customers who have applied the August Security Updates are already protected.
• Regarding ZDI-23-1581: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege.
• Regarding ZDI-23-1579: The technique described requires an attacker to have prior access to email credentials.
• Regarding ZDI-23-1580: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information.