Security researchers at Trend Micro’s Zero Day Initiative (ZDI) reported a serious new vulnerability to Microsoft at the beginning of September that allows threat actors to run arbitrary code following successful exploitation of Microsoft Exchange Server.
Microsoft disagreed with ZDIs findings and didn’t immediately work towards a fix for the issue, which led the ZDI team to make the decision to publicly announce the vulnerability via their own vulnerability tracking ID.
The ZDI team actually discovered four new vulnerabilities during their research and are currently tracking them as:
- ZDI-23-1578 – This is a remote code execution (RCE) flaw in the ChainedSerializationBinder class, where user data isn’t adequately validated, allowing attackers to deserialise untrusted data. Successful exploitation enables an attacker to execute arbitrary code as SYSTEM
- ZDI-23-1579 – Located in the DownloadDataFromUri method, this flaw is due to insufficient validation of a URI before resource access. Attackers can exploit it to access sensitive information from Exchange servers.
- ZDI-23-1580 – This vulnerability, in the DownloadDataFromOfficeMarketPlace method, also stems from improper URI validation, potentially leading to unauthorized information disclosure.
- ZDI-23-1581 – Present in the CreateAttachmentFromUri method, this flaw resembles the previous bugs with inadequate URI validation, again, risking sensitive data exposure.
Reasons for Microsoft’s response
The vulnerabilities identified by the Trend Micro team all require user authentication for exploitation, which reduces the CVSS scores to values between 7.1 and 7.5.
Microsoft state that requiring authentication is a mitigation factor and this could be the reason for Microsoft’s response that they are not prioritising the remediation of the bugs.
Microsoft have provided additional context on each of the discovered flaws:
- Regarding ZDI-23-1578: Customers who have applied the August Security Updates are already protected.
- Regarding ZDI-23-1581: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege.
- Regarding ZDI-23-1579: The technique described requires an attacker to have prior access to email credentials.
- Regarding ZDI-23-1580: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information.
