Introduction

Details of a critical vulnerability impacting Microsoft’s Exchange 2013 and 2016 servers were recently discovered and made public.  If successfully exploited this vulnerability would allow an attacker to gain Domain Admin permissions within a company’s Active Directory infrastructure allowing nearly unrestricted access to a compromised server.  At this time Microsoft has not released a patch for this vulnerability.  Tier1Net customer’s which have implemented Tier1Net’s Cisco Umbrella Secure DNS and/or Duo Authentication services have their exposure to this vulnerability greatly reduced.

Technical Information

In order to successfully exploit this vulnerability an attacker would first need to gain the credentials to any existing mailbox on a targeted Exchange server.  This can be accomplished via phishing attacks or credential stuffing where an attacker uses breached credentials from one service to gain access to another service.  Once an attacker has access to a mailbox on the Exchange server they can then combine three known vulnerabilities to elevate the compromised account’s permissions to that of a Domain Admin.   A Domain Admin has full access to an Exchange server and can perform such tasks as resetting password, creating mailboxes, deleting mailboxes, etc.

Steps Being Taken by Tier1Net

Due to Tier1Net’s expertise and emphasis on cybersecurity, many of its customers are already protected from this latest vulnerability.  Furthermore, Tier1Net deploys multiple security layers to both its own internal and hosted infrastructures as well as client supported networks to greatly reduce the exploit risk of any single vulnerability.  To further reduce customer exposure to this vulnerability Tier1Net will be deploying a Microsoft supported mitigation tool to all managed and hosted Exchange servers.

Additional Information

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
https://nakedsecurity.sophos.com/2019/01/30/privilege-escalation-vulnerability-uncovered-in-microsoft-exchange/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

 

After more than two weeks, Apple has finally acknowledged the iOS6.1 bug and is promising a fix in an upcoming software update.

As reported earlier in the week, a critical compatibility error between Apple’s iOS6.1 and Microsoft’s Exchange Server was causing major strain to server’s CPU usage and storage capacity. To mitigate risks to Exchange servers, workarounds were suggested from disabling Calendar sync to blocking Exchange access altogether.

We advised our own clients to refrain from upgrading to iOS6.1 (or 6.1.1.) For those who had already upgraded, we advised to them to temporarily disable Calendar synching on their device, or at the very least, to restrict their mobile calendar use to “read-only” mode.

Apple has just released a Knowledge Base Article acknowledging the bug, and stating that they have “identified a fix and will make it available in an upcoming software update.”

We will let our clients know as soon as this update becomes available.

Attention Apple iOS 6.1 Users:

Within the last week, a potentially critical problem has been detected with the latest version of iOS (6.1) for iphone/ipads with regards to synching to an Exchange server.

Though not officially announced yet, many online reports, including first-hand instances from our own clients, confirm that mobile devices running on iOS 6.1 are creating excessive log files on the Exchange server.  These excessive log files run in a continuous loop and will eventually exceed Exchange server disk space, causing failure on your Exchange server.

From Windows IT Pro:

Some forums have started to register problems with excessive growth of transaction logs for databases hosting the mailboxes of iOS devices that have been upgraded to iOS 6.1 For example, this note describes a situation where upgraded devices seemed to go into a loop and ended up by generating some 50 GB of transaction logs

 
At this point, the problem is believed to be isolated to the synchronization of Calendar Items.  It is also isolated to devices running iOS 6.1.  Devices running iOS 6.0 or earlier versions are not affected.

Unfortunately there is no fix for the problem at this time (from either Apple or Microsoft.)

From ZDNET:

Until the bug is fixed, corporate users are advised to not upgrade to iOS 6.1. For users who have already upgraded, though, there is no way to revert to the previous version. IT administrators have no control over when their BYOD users upgrade, so many of them have resorted to blocking iOS 6.1 from accessing Exchange as a temporary mitigation to prevent server outages for everybody else

 
Some corporations are already taking precautions against potential Exchange failures by disabling all mobile device activesync.  However, this will prevent users from any Exchange related functions on their mobile device, including all email functions, calendaring, etc.

Prior to taking this step, Tier1Net recommends the following actions:

Recommended Actions for Users on iOS 6.1:

If you have upgraded, please remove calendar synchronization by performing the following steps.

  1. From your mobile device, confirm your iOS version by going to Settings > General > About > scroll down to Version.
  2. If your iOS Version is 6.1, remove calendar synchronization by going to Settings > Mail, Contacts, Calendars > Selecting your Exchange account > slide the Calendar to the Off position > select Delete from my iPhone. This will remove the copy of your calendar from the device.

Please note that this will REMOVE your Exchange Calendar from your mobile device.

If your company is running the latest version of Microsoft Exchange, Tier1Net will be able to provide you with a list of all devices currently upgraded to iOS 6.1. Please contact us if you would like us to compile this list of devices for you.

Additionally, Tier1Net recommends that you immediately notify all employees to REFRAIN FROM UPGRADING IPHONE/IPAD to iOS6.1 until further notice.

If one of your users is running iOS6.1 and cannot effectively work without viewing their mobile calendar, please contact us for a potential work-around.

Meanwhile, we will continue monitoring your Exchange server for excessive logging.  If excessive logging continues from any particular device, Tier1Net will have to disable activesync from that mobile device.  Removing activesync access will disable all Exchange access from that device (mail, calendar, etc.)

UPDATE: Apple has just released iOS version 6.1.1 but it is does not appear to address excessive logging issues. At this time, we still recommend taking the above precautions and refraining from upgrading.

UPDATE: Microsoft has released a Knowledge Base Article confirming the excessive logging threat and stating “Apple and Microsoft are investigating this issue. We will post more information in this article when the information becomes available.”

Please let us know if you have any questions.

Tier1Net Team