Microsoft Exchange 2013 and Newer Vulnerable to NTLM Relay Attacks

Microsoft Exchange supports an API called, Exchange Web Services (EWS). One of the functions of EWS API is PushSubscriptionRequest, which can be used to cause the Exchange server to connect to an arbitrary website and then attempts to negotiate the connection with NTLM authentication. In Microsoft Exchange 2013, 2016, and 2019, the NTLM Sign and Seal flags are being set, causing the authentication to be vulnerable to NTLM relay attacks. This can allow a remote attacker to gain privileges of the Microsoft Exchange server.

In the default configuration, Microsoft Exchange has extensive privileges with respect to the Domain object in Active Directory. Meaning, that an attacker who possesses credentials for an Exchange mailbox and also has the ability to communicate with both the Exchange Server and a Windows domain controller, can gain Domain Admin privileges. Even without mailbox credentials, this attack may be used in an SMB to HTTP relay attack, provided the malicious actor is in the same network segment as the Exchange server.

While there is currently no practical solution available for the issue, there are a couple potential workarounds: EWS Push/Pull subscriptions can be disabled, blocking the API call that allows the attack, or the Exchange privileges on the domain object can be removed.

As always, Nuspire recommends only utilizing those communication and authentication methods and features that are absolutely necessary for your specific requirements. If you would like to know more, or need assistance with solving your security issues, please contact us.