There are NT LAN Manager (NTLM) relay attacks affecting Microsoft Exchange 2013 and newer versions where a remote attacker could exploit this vulnerability to take control of an affected system.
Microsoft Exchange supports a API called Exchange Web Services (EWS). One of the EWS API functions is called PushSubscriptionRequest, which can cause the Exchange server to connect to an arbitrary website, according to CERT/CC. Connections made using the PushSubscriptionRequest function will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.
Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.
An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported an attacker without knowledge of an Exchange user’s password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.
CERT/CC is currently unaware of a solution to this problem, but there are workarounds:
• If you have an exchange server that does not leverage EWS push/pull subscriptions, you can block the PushSubscriptionRequest API call that triggers this attack. In an Exchange Management Shell window, execute the following commands: New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0
Restart-WebAppPool -Name MSExchangeServicesAppPool
• There is a PowerShell script that can be executed on either the Exchange Server or Domain Controller system. By default this script will check for vulnerable access control entries in the current active directory. When executed with Domain Admin privileges and the -Fix flag, this script will remove the ability for Exchange to write to the domain object. (Please note that the following workaround was not developed by CERT and is not supported by Microsoft. Please test any workarounds in your environment to ensure that they work properly.) Note if you encounter an error about Get-ADDomainController not being recognized, you will need to install and import the ActiveDirectory PowerShell module.