Microsoft and the Cybersecurity and Infrastructure Security Agency issued a “high-severity vulnerability” alert on Wednesday evening about a flaw affecting on-premises versions of Microsoft Exchange that coincided with a talk delivered at the Black Hat cybersecurity conference with the security researcher that discovered and presented it in detail.
The vulnerability allows hackers to deploy a series of techniques that enable compromise of on-premises versions of Active Directory, the Microsoft tool suite that centralizes the management of users, computers and other resources across an organization’s network.
The flaw also exposes Entra ID, Microsoft’s cloud-based identity and access management service that helps identify and authenticate network users, according to a detailed blog issued by the company.
Parts of the federal enterprise are susceptible to the vulnerability, and CISA plans to issue an emergency patching directive to the federal enterprise on Thursday, according to a person familiar with the matter.
Microsoft in its blog says it plans to speed up its customers’ adoption of the most up-to-date version of Microsoft Exchange hybrid environments, a term used to describe setups where an organization uses both cloud and local infrastructure to support their networks.
The company “will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal” to make customer environments more secure, it said. The rollouts will take place over the coming months.
In a related explainer, Microsoft said it initially issued security changes to Exchange Server hybrid deployment in April. But in doing so, the company found that these new configuration steps actually fixed a real security flaw, though many organizations did not update their systems to employ the fix.
At Black Hat in Las Vegas, Nevada, Outsider Security researcher Dirk-jan Mollema presented a long-form demo exploiting the flaw, where he said he was able to modify user passwords, convert cloud users to hybrid users and impersonate hybrid users.
Through the exploit, hackers could also modify executive permissions, known as service principals, where they could escalate network access privileges or establish persistent access between on-premises Exchange and Microsoft 365 by tampering with the identities and permissions set up on a network.
“These tokens, they’re basically valid for 24 hours. You cannot revoke them. So if somebody has this token, there’s absolutely nothing you can do from a defensive point of view,” Mollema said.
He was referring to special access tokens used when Exchange servers talk to Microsoft 365, which can’t be canceled once stolen — giving attackers up to 24 hours of unchecked access. That access, combined with special top-level permissions, could let hackers steal email data or move deeper into an organization’s cloud environment undetected.
Microsoft said that “there is no observed exploitation” of the vulnerability as of the time of the alert issued.
Multiple federal agencies were impacted in a separate on-premises Microsoft SharePoint vulnerability disclosed last month, including the Department of Homeland Security, which was first reported by Nextgov/FCW. That vulnerability was exploited worldwide by several China-linked hacking groups.
The federal government, as well as thousands of state and local governments, rely heavily on Microsoft products. For the federal enterprise, Microsoft is predominantly used across civilian and defense agencies for routine tasks like file sharing, internal messaging, records management and remote collaboration.
