Blog entry by Les Bell

Les Bell
by Les Bell - Monday, November 6, 2023, 5:13 PM
Anyone in the world

Trend Micro's Zero Day Initiative has disclosed four new 0-day vulnerabilities in Microsoft's Exchange server. The vulnerabilities are:

The most serious of these is obviously ZDI-23-1578, which is described like this:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability.

The specific flaw exists within the ChainedSerializationBinder class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

Trend Micro reported the vulnerability to Microsoft on 7 September; however Microsoft replied on 27 September:

The vendor states that the vulnerability does not require immediate servicing.

The company responded to the other vulnerabilities in the same way. I'm really not so sure about that. I'd be willing to be that a number of threat actors are sitting on Exchange user credentials which they have acquired via phishing, infostealers or other exploits, and they could make use of these credentials to authenticate and then run an exploit based on one or more of these vulnerabilities. After all, the vulnerable classes and methods are identified right there, in the advisories. And if a threat actor doesn't have the necessary credentials, this gives them motivation to go phishing.

A man fishing on a lake.

(Photo by Pascal Müller on Unsplash)

As the ZDI reports make clear, "Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.". I'd also be making my Exchange users a bit more aware of the possibilities of phishing attacks, and watching Exchange servers like a hawk.

Bazydlo, Piotr, ZDI Published Advisories, advisories list, 2 November 2023. Available online at https://www.zerodayinitiative.com/advisories/published/.


Upcoming Courses


About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: