Microsoft shut down the PrivExchange zero-day vulnerability that cropped up last month in addition to the usual fare for February Patch Tuesday.
The PrivExchange Microsoft zero-day vulnerability, publicly disclosed by security researcher Dirk-jan Mollema, allowed an attacker to exploit susceptible Exchange Server 2010 and newer systems to gain domain controller admin privileges. Microsoft initially responded with an advisory (ADV190007) and suggested administrators define a policy to prevent Exchange from sending Exchange Web Services notifications.
The root of the PrivExchange problem is that a standard installation of Exchange Server requires a lot of permissions in Active Directory, said Nathan O'Bryan, an enterprise architect at Insight and TechTarget contributor.
"Always applying more security makes managing your servers more difficult," O'Bryan said. "Organizations have to keep up with, be aware of and make the right decision for them."
February's security updates delivered a fix, rated important, for the Microsoft zero-day vulnerability that the company assigned two CVE identifiers, CVE-2019-0686 and CVE-2019-0724.
Microsoft flagged the first vulnerability (CVE-2019-0686) as a public disclosure. An attacker attempting to exploit the elevation of privilege weakness would need to execute a man-in-the-middle attack to send an authentication request from the hacked inbox. They could then impersonate another Exchange Server user to access their mailbox. Applying the February security update to affected systems prevents authentication notifications to stop the bug.
CVE-2019-0724, which was not publicly disclosed, explained how an attacker could execute a man-in-the-middle exploit to send an authentication request to a domain controller to gain domain admin privileges. To fix this, Microsoft reduced permissions given to Exchange servers and administrators of those systems in Active Directory domains.
"We would escalate this [CVE-2019-0724] to priority one and assume it's a high-risk exploit," said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.
Microsoft addresses another public disclosure and advisory
Among the 75 unique vulnerabilities closed by February Patch Tuesday, Microsoft addressed a public disclosure and suggested mitigations with an advisory.
Administrators should prioritize the publicly disclosed Windows information disclosure vulnerability (CVE-2019-0636), rated important, that affects all supported Windows systems. Attacker could exploit this bug to run a specially crafted application and get unauthorized access to the file system. To address the vulnerability, the February security updates change how Windows discloses information.
Microsoft also released an advisory to diminish the chance of an Active Directory exploit (ADV190006). Active Directory forest trusts allow forests to share resources with identities from another forest. Researchers from SpecterOps found a vulnerability in a default setting when creating incoming trusts. Until Microsoft can address this bug in future security updates, the company recommends blocking "TGT delegation across an incoming trust by setting the netdom flag EnableTGTDelegation to No" using the instructions provided in Knowledge Base article 4490425.
Microsoft addressed a zero-day exploit in the Internet Explorer browser that is rated important for Windows client systems and low for Windows Server OSes (CVE-2019-0676). On unpatched systems, an attacker would need to get the victim to visit a malicious website to read file contents.
"Make sure the OS and IE are updated in your environments," Goettl said. "Windows browsers and Office should also warrant some attention."
CVEs on the rise, but admins shouldn't worry
The number of vulnerabilities and patches has increased over the years -- CVEs reported and resolved in 2018 were a record high -- but this is not as alarming as it seems, Goettl said.
"What we have are more vendors that are taking a more disciplined role in properly identifying and resolving vulnerabilities and disclosing that information to the industry so people are aware of it," he said.
Some vendors also have bug bounty programs that offer researchers a strong financial incentive to find more vulnerabilities. Goettl said Qualcomm's Vulnerability Rewards Program, which has been around for two years, pays handsomely for potential security issues. To date, the company said it has paid more than $750,000 in bounties, with more than $200,000 going to one researcher. Since the program began in November 2016, Qualcomm said it has paid out for nearly 350 bounties.