Shulou(Shulou.com)06/02 Report--

Today, I learned that the most serious security vulnerability in the history of Microsoft Exchange server products has been exposed, and the current supported ExchangeServer versions are all hit!

According to the information shared by Zhang Meibo, chief solution expert and Microsoft guru of Microsoft Enterprise Services in China, Trend Micro has discovered the most serious system vulnerability in the history of Exchange Server products. Sending an email in a specific format can remotely execute arbitrary code in the system account. For more information, please refer to the following Microsoft Security Bulletin:

Https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8302

With regard to this security vulnerability in Exchange Server, an update has been officially released today.

Exchange Server 2010 Emergency response Plan

1. The security update for ExchangeServer 2010 is implemented through ExchangeServer 2010 SP3 RU23, which can be installed as long as ExchangeServer 2010 is SP3 or above.

The download address is:

UpdateRollup 23 for Exchange Server 2010 Service Pack 3

Https://www.microsoft.com/en-us/download/details.aspx?id=57219

2. After completing the above prerequisites, install, Microsoft's latest security update for CVE-2018-8302

Https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8302

Exchange Sever 2013 / 2016 Emergency response Plan

1. For ExchangeServer 2013 and ExchangeServer 2016, since we have modified the product support model from ExchangeServer 2013 to release cumulative updates (CU) every quarter, and only support the last two versions of CU, installation updates have been released only for ExchangeServer 2013 CU20/CU21 and ExchangeServer 2016 CU9/CU10 that are currently supported. If you need to install this security update, you need to install ExchangeServer 2013 and ExchangeServer 2016 to the corresponding supported version of CU before you can install the update. The download address is:

Descriptionof the security update for Microsoft Exchange Server 2013 and 2016: August 14,2018

Https://support.microsoft.com/en-us/help/4340731/description-of-the-security-update-for-microsoft-exchange-server-2013

2. After completing the above prerequisites, install, Microsoft's latest security update for CVE-2018-8302

Https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8302

The Trend Micro ZeroDay Initiative team that discovered the security issue released a Blog that described the security issue in detail. Note that the xxx code may have been leaked at present.

Explanation related to security vulnerabilities

1. Currently, POC × × code depends on the UM role of Exchange Server. Note that this role is a standalone installation server role in Exchange Server 2010 and an integrated installation server role in Exchange Server2013/2016

2. * * users need to upload malicious × × × code (.NET serializationpayload) to the target user's mailbox in advance (the code is uploaded through EWS; it needs to be authenticated, for example, to upload to their own user's mailbox), and modify the TopNWords.Data attribute of the inbox folder of the user's mailbox (common attribute (public attribute, users who pass authentication can modify the corresponding attribute in their own mailbox) The Trend Micro Zero Day Initiative team believes that Microsoft's security update prohibits users from accessing the TopNWords.Data property (which has not yet been confirmed by the Exchange product group).

3. The * * user sends voice mail to the corresponding target user's mailbox, triggering the Exchange server to convert the voice mail.

4. At this point, the malicious * * code uploaded by the * * user before the execution is triggered and executed under the local system account.

About the above process:

1. TopN Words is to scan, analyze and record the most commonly used words and information used by users, which is realized through TopN Words Assistant.

2. TopN Words Assistant scans the voicemail in the user's mailbox irregularly (almost in real time) and realizes its function.

3. TopN Words Assistant is integrated into Microsoft Exchange Mailbox Assistants services and belongs to the Exchange Server MBX server role.

4. The Microsoft Exchange Mailbox Assistants service runs under the local system account.

According to convention, after the POC × × code is leaked, it may be analyzed and used to further expand the × × × scope, so please be sure to install the relevant updates as soon as possible.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.