Shulou(Shulou.com)06/03 Report--

According to the information shared by Zhang Meibo, chief solution expert and Microsoft guru of Microsoft Enterprise Services in China, Trend Micro has discovered the most serious system vulnerability in the history of Exchange Server products. Sending an email in a specific format can remotely execute arbitrary code in the system account. For more information, please refer to the following Microsoft Security Bulletin:

Https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8302

With regard to this Exchange Server security vulnerability, an update has been officially released today:

1. The security update for ExchangeServer 2010 is implemented through ExchangeServer 2010 SP3 RU23. As long as ExchangeServer 2010 is SP3 or above, it can be installed at the download address:

UpdateRollup 23 for Exchange Server 2010 Service Pack 3

Https://www.microsoft.com/en-us/download/details.aspx?id=57219

2. For ExchangeServer 2013 and ExchangeServer 2016, since we have modified the product support model from ExchangeServer 2013 to release cumulative updates (CU) every quarter, and only support the last two versions of CU, installation updates have been released only for ExchangeServer 2013 CU20/CU21 and ExchangeServer 2016 CU9/CU10 that are currently supported. If you need to install this security update, you need to install ExchangeServer 2013 and ExchangeServer 2016 to the corresponding supported version of CU before you can install the update. The download address is:

Descriptionof the security update for Microsoft Exchange Server 2013 and 2016: August 14,2018

Https://support.microsoft.com/en-us/help/4340731/description-of-the-security-update-for-microsoft-exchange-server-2013

The Trend Micro ZeroDay Initiative team that discovered the security issue released a Blog that described the security issue in detail. Note that the xxx code may have been leaked at present. The key points related to the other party's article and POC × × code:

1. Currently, POC × × code depends on the UM role of Exchange Server. Note that this role is a standalone installation server role in Exchange Server 2010 and an integrated installation server role in Exchange Server2013/2016

2. * * users need to upload malicious × × × code (.NET serializationpayload) to the target user's mailbox in advance (the code is uploaded through EWS; it needs to be authenticated, for example, to upload to their own user's mailbox), and modify the TopNWords.Data attribute of the inbox folder of the user's mailbox (common attribute (public attribute, users who pass authentication can modify the corresponding attribute in their own mailbox) The Trend Micro Zero Day Initiative team believes that Microsoft's security update prohibits users from accessing the TopNWords.Data property (which has not yet been confirmed by the Exchange product group).

3. The * * user sends voice mail to the corresponding target user's mailbox, triggering the Exchange server to convert the voice mail.

4. At this point, the malicious * * code uploaded by the * * user before the execution is triggered and executed under the local system account.

For relevant Blog, please visit the following address:

Https://www.zerodayinitiative.com/blog/2018/8/14/voicemail-vandalism-getting-remote-code-execution-on-microsoft-exchange-server

About the above process:

1. TopN Words is to scan, analyze and record the most commonly used words and information used by users, which is realized through TopN Words Assistant.

2. TopN Words Assistant scans the voicemail in the user's mailbox irregularly (almost in real time) and realizes its function.

3. TopN Words Assistant is integrated into Microsoft Exchange Mailbox Assistants services and belongs to the Exchange Server MBX server role.

4. The Microsoft Exchange Mailbox Assistants service runs under the local system account.

According to convention, after the POC code is leaked, it may be analyzed and used to further expand the scope of × ×, so please be sure to install the relevant updates in time.

I will let you know if there is any update later. I hope you will follow and forward it as soon as possible and do a good job in the relevant protection work.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.