Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1494
Vulnerabilities in Microsoft Exchange Server Could Allow
Elevation of Privilege
9 June 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Exchange Server
Publisher: Microsoft
Operating System: Windows
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-2359 CVE-2015-1771 CVE-2015-1764
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS15-064
- --------------------------BEGIN INCLUDED TEXT--------------------
Bulletin Number: MS15-064
Bulletin Title: Vulnerabilities in Microsoft Exchange Server Could
Allow Elevation of Privilege
Severity: Important
KB Article: 3062157
Version: 1.0
Published Date: June 9, 2015
Executive Summary
This security update resolves vulnerabilities in Microsoft Exchange
Server. The most severe of the vulnerabilities could allow elevation
of privilege if an authenticated user clicks a link to a specially
crafted webpage. An attacker would have no way to force users to visit the
website. Instead, an attacker would have to convince users to click a link,
typically by way of an enticement in an email or Instant Messenger message.
This security update is rated Important for all supported editions of
Microsoft Exchange Server 2013.
Affected Software
Microsoft Exchange Server 2013
Vulnerability Information
Exchange Server-Side Request Forgery Vulnerability - CVE-2015-1764
An information disclosure vulnerability exists in Microsoft Exchange
web applications when Exchange does not properly manage same-origin
policy. An attacker could exploit this Server-Side Request Forgery (SSRF)
vulnerability by using a specially crafted web application request. An
attacker who successfully exploited this vulnerability could then:
- - Scan and attack systems behind a firewall that are normally
inaccessible from the outside world
- - Enumerate and attack services that are running on these host systems
- - Exploit host-based authentication services
Exchange web applications are primarily at risk from this vulnerability. The
update addresses the vulnerability by modifying how Exchange web applications
manage same-origin policy.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure. When this security bulletin was issued, Microsoft
had not received any information to indicate that this vulnerability had
been publicly used to attack customers.
Exchange Cross-Site Request Forgery Vulnerability - CVE-2015-1771
An elevation of privilege vulnerability exists in Microsoft Exchange web
applications when Exchange does not properly manage user sessions. For
this Cross-site Request Forgery(CSRF/XSRF) vulnerability to be exploited,
the victim must be authenticated to (logged on) the target site.
In a web-based attack scenario an attacker could host a website (or
leverage a compromised website that accepts or hosts user-provided content)
that contains a specially crafted webpage that is designed to exploit
the vulnerability. An attacker would have no way to force users to visit
the website. Instead, an attacker would have to convince users to click a
link, typically by way of an enticement in an email or Instant Messenger
message. An attacker who successfully exploited this vulnerability could
read content that the attacker is not authorized to read, use the victim's
identity to take actions on the web application on behalf of the victim,
such as change permissions and delete content, and inject malicious content
in the browser of the victim.
Exchange web applications are primarily at risk from this vulnerability. The
update addresses the vulnerability by modifying how Exchange web applications
manage user session authentication.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure. When this security bulletin was issued, Microsoft
had not received any information to indicate that this vulnerability had
been publicly used to attack customers.
Exchange HTML Injection Vulnerability - CVE-2015-2359
An information disclosure vulnerability exists in Microsoft Exchange web
applications when Exchange does not properly sanitize HTML strings. To
exploit this HTML Injection vulnerability an attacker must have the ability
to submit a specially crafted script to a target site that uses HTML
sanitization. Where the vulnerability exists, in specific situations the
specially crafted script is not properly sanitized. The attacker-supplied
script could then be run in the security context of a user who views the
malicious content.
For HTML injection attacks, this vulnerability requires that a user must be
visiting a compromised site for any malicious action to occur. For instance,
after an attacker has successfully submitted a specially crafted script
to a target site that use HTML sanitization, any webpage on that site that
contains the specially crafted script is a potential vector for persistent
cross-site scripting attacks. When a user visits a webpage that contains
the specially crafted script, the script could be run in the security
context of the user.
Systems where users connect to a site that sanitizes HTML strings, such
as workstations or terminal servers, are primarily at risk. The update
addresses the vulnerability by correcting how Exchange web applications
sanitize HTML strings.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure. When this security bulletin was issued, Microsoft
had not received any information to indicate that this vulnerability had
been publicly used to attack customers.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVXd1ghLndAQH1ShLAQLyjhAAiGdBTyT9K0dkwMRH4JluYtlKhBz1Ii3h
FSLbDRj7nJi3Tp8gu02xNp8VdXsc04TytZpyn9BWBpmQPPzpMisG7T9BUJrMZiZ5
b1e1pwmx6c4EwevZOoN4qExjgNRDOPxn3PaVtkD6JzH4cnhBeueI5xGSxReiEEON
V+L3Bdc9PCAiISy023mEgsJ376s7OSdyFLQRVLlzstS/D2RmBSu8cIU0jbAywnR5
FbN84GSPd7Lleck4AFBWrIjqVIUBP9srW1nkfnDY0jc2inIcW0nKJsfyyFLFULFa
tuYz30TvgyuV518s8JavB4mbjgEIbfu8avRhxb0yEzG0s1TxvsdfEcgTJzkT2iRN
mbVMF6CrSN0jyNfBOqnaZPMdVoOWcIItkX5OqYIJ4fLFu1JsJ4IGgjo0i3oVPnOe
LjIHh/7yTemdBr9CgG7uP7AIDachcipGZOyooRMg7qHWL2wufMrRLjtOwaOgr8hp
CTH/5d3f73KTMBFY0fnBiHl3OWF2FHrH/LO+qI3H+BgrqLbPDQW6g1wgakSTEfys
VTDDA+k5Xas06N3Dq2M/mt5H9Dbmzn3DW7L6zDAuZvpnIDr6A8ghHU7XD+QuvGEu
fvOJbqNG7lIMPgsvhjkmIPSqTI6vGS45Xhgifq6lucvfnLEa45+rkzgtvbzJEW5M
+N4ecBjDMkk=
=w8oU
-----END PGP SIGNATURE-----