09 December 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2331 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) 9 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Exchange Publisher: Microsoft Operating System: Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-6336 CVE-2014-6326 CVE-2014-6325 CVE-2014-6319 Original Bulletin: https://technet.microsoft.com/library/security/ms14-075 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS14-075 - Important Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) Published: December 9, 2014 Version: 1.0 Executive Summary This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web Access site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL. This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013. Affected Software Microsoft Exchange Server 2007 Service Pack 3 (2996150) Microsoft Exchange Server 2010 Service Pack 3 (2986475) Microsoft Exchange Server 2013 Service Pack 1 (3011140) Microsoft Exchange Server 2013 Cumulative Update 6 (3011140) Vulnerability Information Multiple OWA XSS Vulnerabilities Elevation of privilege vulnerabilities exist when Microsoft Exchange Server does not properly validate input. An attacker who successfully exploited these vulnerabilities could run script in the context of the current user. An attacker could, for example, read content that the attacker is not authorized to read, use the victim's identity to take actions on the Outlook Web Access site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim. Any system that is used to access an affected version of Outlook Web Access would potentially be at risk to attack. The update addresses the vulnerabilities by ensuring that URLs are properly sanitized. OWA XSS Vulnerability CVE-2014-6325 No No OWA XSS Vulnerability CVE-2014-6326 No No Outlook Web Access Token Spoofing Vulnerability - CVE-2014-6319 A token spoofing vulnerability exists in Exchange Server when Microsoft Outlook Web Access (OWA) fails to properly validate a request token. An attacker who successfully exploited this vulnerability could then use the vulnerability to send email that appears to come from a user other than the attacker (e.g., from a trusted source). Customers who access their Exchange Server email via Outlook Web Access are primarily at risk from this vulnerability. The update addresses the vulnerability by ensuring that Outlook Web Access properly validates request tokens. Exchange URL Redirection Vulnerability - CVE-2014-6336 A spoofing vulnerability exists in Microsoft Exchange when Microsoft Outlook Web Access (OWA) fails to properly validate redirection tokens. An attacker who successfully exploited this vulnerability could redirect a user to an arbitrary domain from a link that appears to originate from the user's domain. An attacker could use the vulnerability to send email that appears to come from a user other than the attacker. Customers who access their Exchange Server email via Outlook Web Access are primarily at risk from this vulnerability. The update addresses the vulnerability by ensuring that URLs are properly sanitized. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVId4gxLndAQH1ShLAQLsQA//S81l/1e7JeOFMfsjqb0K98xvYBoQGsgC YIkglumZWd9litX9BjG+gkl7p455vq+s9qXxWsSc6Vyvs4meaWKi7JEs7ZfYD9Jy ew82wsrXLaBhr5Kzjh7WdlUF92E7iYOpaXLgAFDK2Eda6zauWmODF8OQcW54j1Sm To8DodK3+J4D825VnXEXFCBLrA8IalQs9cINxFVyXWHGDsZIgTDKUlXOCYyPQSZO ukosxGRXTeojrbyfGMpjZbKChsPI4x3wk/ppx7DkSSE08xYdigATApdbEFjHj9Nd pmipHuXIUyIV+4gLbrQjPZHapnUBVJ1mtdklTvRxNfG8/umiM+LdthkfUqZr7M5+ sI0IFUZJ9afwODPH2lPmTQaqemwwxIaIAe6bMnNrPMR3YIMndXcmBQKrRILfXYj4 LenuXf5ZwLd+bmOq7IzhBUHE96KhExfvjEwVaBenrgpCS26ViBo6jWM0RtFu3LtM UFf6RT8Z1PiL9gpsUkx5TA3e0geMpkc+BarEHiNPZjDr5f1DRaclxltR08lTN95R CTvMRS+2xWRA6QLlMWMG4N6QMMG1gS5tpViY+UiqIANSQpGfkraP8GsEqqS0d9vb ffPDKRKWyaZQ3ESlcrKKdyR9BUsbMaxTAj8YaESREYtjUD/kh6FV7bNmw7PNZPeo no0/JLTaSlc= =JEUG -----END PGP SIGNATURE-----