Executive Summary
Summary | |
---|---|
Title | Vulnerability in Outlook Web Access Could Allow Elevation of Privilege |
Informations | |||
---|---|---|---|
Name | KB2401593 | First vendor Publication | 2010-09-14 |
Vendor | Microsoft | Last vendor Modification | 1970-01-01 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft has completed the investigation of a publicly disclosed vulnerability in Outlook Web Access (OWA) that may affect Microsoft Exchange customers. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session. The attacker could then perform actions on behalf of the authenticated user without the user's knowledge, within the security context of the active OWA session. This vulnerability affects supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 (except Microsoft Exchange Server 2007 Service Pack 3). Microsoft Exchange Server 2000, Microsoft Exchange Server 2007 Service Pack 3, and Microsoft Exchange Server 2010 are not affected by the vulnerability. For more information, see the section, Affected and Non-Affected Software. Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Customers who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability. At this time, we are unaware of any attacks attempting to exploit this vulnerability. We will continue to monitor the threat landscape and update this advisory if the situation changes. For more information about this issue, see the following references: This advisory discusses the following software. What is the scope of the advisory? What is Exchange Outlook Web Access (OWA)? What causes this threat? What might an attacker use this vulnerability to do? How could an attacker exploit the vulnerability? Why is there no security update to address this vulnerability? What do I do if I am using versions of the product for which an update is not available? Administrators who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability. I am using an older release of the software discussed in this security advisory. What should I do? It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs. Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ. Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation: The following workarounds refer to a setting or configuration change that does not correct the underlying issue but would help limit what an attacker might use the vulnerability to do. Note These workarounds do not block known attack vectors, but instead help limit how an attacker can exploit the vulnerability by selectively disabling functionality. Segmentation can be performed on a per-server basis to change the functionality of Outlook Web Access. To prevent attackers from exploiting certain features in Outlook Web Access, Administrators may choose to implement segmentation to disable features selectively. For information about how to disable rules by using segmentation in Microsoft Exchange Server 2007, see TechNet article, How to Manage Segmentation in Outlook Web Access. For information about how to disable rules by using segmentation in Microsoft Exchange Server 2003, see Microsoft Knowledge Base Article 833340. Impact of workaround. Disabling rules will prevent an attacker from modifying the users rules through OWA, preventing data exfiltration. However, an attacker could still modify a users other options. After implementing this workaround, users will no longer be able to create or update rules using OWA. Existing rules will continue to operate. The impact of this workaround only affects functionality in Outlook Web Access, not in an Outlook client. Implementing this workaround will prevent an attacker from being able to view or modify any Exchange options through OWA, preventing most known attacks against the vulnerability described in this advisory. For information about how to disable the Options panel by using UrlScan, see Microsoft Knowledge Base Article 2299129. Impact of workaround. Users will no longer be able to modify Exchange options using OWA. Disabling Options also disables rules, as described above. The impact of this workaround only affects functionality in Outlook Web Access, not in an Outlook client. Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010 are not affected by the vulnerability. All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2401593.mspx |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 3 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
67119 | Microsoft Outlook Web Access (OWA) Multiple Function CSRF Microsoft Outlook Web Access contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the authentication of e-mail users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Microsoft Office Outlook Web Access XSRF attempt RuleID : 17296 - Revision : 8 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-09-17 | Name : The remote web server is affected by a cross-site request forgery issue. File : smb_kb2401593.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:38 |
|
2014-01-19 21:29:39 |
|