Microsoft has addressed a number of Exchange Server flaws in its latest Patch (opens in new tab) Tuesday cumulative security update – however IT admins will also need to enable Extended Protection to fully mitigate some of them.
Extended Protection is a tool that enhances existing Windows Server authentication, and mitigates man-in-the-middle attacks, or authentication relays. The feature does so by using security information implemented through Channel-binding information, specified through a Channel Binding Token, primarily used for SSL connections.
This month’s cumulative update addresses a total of 121 vulnerabilities, including a number of Exchange flaws, such as CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516, which are all rated as critical as they allow for the escalation of privilege. These flaws can even be exploited by low-skilled threat actors, making them particularly dangerous. All of them, however, require the victim to visit a malicious server (opens in new tab).
Exploitation more likely
“Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment,” the Exchange Server Team said.
“Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack,” the team added. “Please note that enabling Extended Protection (EP) is only supported on specific versions of Exchange (please see documentation for a full list of prerequisites).”
Just because crooks aren’t yet exploiting these flaws, it doesn’t mean they won’t. Microsoft labeled all three flaws as “exploitation more likely”, suggesting IT admins apply the fixes immediately, as it’s only a matter of time before crooks start abusing the holes to deliver malware (opens in new tab).
“Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited,” Microsoft said.
“This would make it an attractive target for attackers, and therefore more likely that exploits could be created. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.”
Microsoft built a script that enables this feature, but advises admins to carefully evaluate their environments before using it on their servers.
Via: BleepingComputer (opens in new tab)
