Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Vulnerability in Outlook Web Access Could Allow Elevation of Privilege
Informations
Name KB2401593 First vendor Publication 2010-09-14
Vendor Microsoft Last vendor Modification 1970-01-01
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft has completed the investigation of a publicly disclosed vulnerability in Outlook Web Access (OWA) that may affect Microsoft Exchange customers. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session. The attacker could then perform actions on behalf of the authenticated user without the user's knowledge, within the security context of the active OWA session.

This vulnerability affects supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 (except Microsoft Exchange Server 2007 Service Pack 3). Microsoft Exchange Server 2000, Microsoft Exchange Server 2007 Service Pack 3, and Microsoft Exchange Server 2010 are not affected by the vulnerability. For more information, see the section, Affected and Non-Affected Software.

Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Customers who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability.

At this time, we are unaware of any attacks attempting to exploit this vulnerability. We will continue to monitor the threat landscape and update this advisory if the situation changes.

Advisory Details

Issue References

For more information about this issue, see the following references:

ReferencesIdentification
CVE ReferenceCVE-2010-3213

Affected and Non-Affected Software

This advisory discusses the following software.

Affected Software
Microsoft Exchange Server 2003 Service Pack 2
Microsoft Exchange Server 2007 Service Pack 1
Microsoft Exchange Server 2007 Service Pack 2
Non-Affected Software
Microsoft Exchange Server 2000 Service Pack 3
Microsoft Exchange Server 2007 Service Pack 3
Microsoft Exchange Server 2010
Microsoft Exchange Server 2010 Service Pack 1

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Outlook Web Access (OWA) for Microsoft Exchange Server. This affects the software that is listed in the Affected Software section.

What is Exchange Outlook Web Access (OWA)?
Outlook Web Access (OWA) is a webmail service of Microsoft Exchange Server 5.0 and later. The Web interface of Outlook Web Access resembles the interface in Microsoft Outlook. Outlook Web Access comes as a part of Microsoft Exchange Server.

What causes this threat?
Under certain circumstances, an authenticated OWA session can be hijacked by an attacker to perform actions on behalf of the user without the user's knowledge.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could perform actions on behalf of the authenticated user in the security context of the active OWA session, such as reading e-mail messages, adding new inbox rules, or changing OWA user preferences.

How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by convincing a targeted user to visit a malicious Web page that the attacker crafted specifically for the targeted Exchange domain, during an active OWA session.

Why is there no security update to address this vulnerability?
A security update is not available because addressing the vulnerability would require a design change to implement a new http request verification framework for OWA to help prevent an attacker from hijacking a user's OWA session. Microsoft has determined that introducing a design change of such a magnitude into affected versions of Microsoft Exchange Server would bear too high a risk of destabilizing and breaking customer environments.

What do I do if I am using versions of the product for which an update is not available?
Administrators running affected editions of Microsoft Exchange Server should upgrade to a non-affected version of Microsoft Exchange Server. Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010 are not affected by the vulnerability.

Administrators who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability.

I am using an older release of the software discussed in this security advisory. What should I do?
The affected software listed in this advisory have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

Mitigating Factors and Suggested Actions

Mitigating Factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attackers Web site.
Workarounds

The following workarounds refer to a setting or configuration change that does not correct the underlying issue but would help limit what an attacker might use the vulnerability to do.

Note These workarounds do not block known attack vectors, but instead help limit how an attacker can exploit the vulnerability by selectively disabling functionality.

  • Disable rules by using segmentation

    Segmentation can be performed on a per-server basis to change the functionality of Outlook Web Access. To prevent attackers from exploiting certain features in Outlook Web Access, Administrators may choose to implement segmentation to disable features selectively.

    For information about how to disable rules by using segmentation in Microsoft Exchange Server 2007, see TechNet article, How to Manage Segmentation in Outlook Web Access.

    For information about how to disable rules by using segmentation in Microsoft Exchange Server 2003, see Microsoft Knowledge Base Article 833340.

    Impact of workaround. Disabling rules will prevent an attacker from modifying the users rules through OWA, preventing data exfiltration. However, an attacker could still modify a users other options. After implementing this workaround, users will no longer be able to create or update rules using OWA. Existing rules will continue to operate. The impact of this workaround only affects functionality in Outlook Web Access, not in an Outlook client.

  • Disable the Options panel by using UrlScan

    Implementing this workaround will prevent an attacker from being able to view or modify any Exchange options through OWA, preventing most known attacks against the vulnerability described in this advisory.

    For information about how to disable the Options panel by using UrlScan, see Microsoft Knowledge Base Article 2299129.

    Impact of workaround. Users will no longer be able to modify Exchange options using OWA. Disabling Options also disables rules, as described above. The impact of this workaround only affects functionality in Outlook Web Access, not in an Outlook client.

Additional Suggested Actions
  • Upgrade to a non-affected version of Microsoft Exchange Server

    Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010 are not affected by the vulnerability.

  • Keep Windows Updated

    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2401593.mspx

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3

Open Source Vulnerability Database (OSVDB)

Id Description
67119 Microsoft Outlook Web Access (OWA) Multiple Function CSRF

Microsoft Outlook Web Access contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the authentication of e-mail users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Office Outlook Web Access XSRF attempt
RuleID : 17296 - Revision : 8 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2010-09-17 Name : The remote web server is affected by a cross-site request forgery issue.
File : smb_kb2401593.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:38:38
  • Multiple Updates
2014-01-19 21:29:39
  • Multiple Updates