Posts

Microsoft Exchange Server HandleBackEndCalculationException Vulnerability

Overview:

  Microsoft Exchange Server is an ASP.NET implementation of an email and calendaring server and is capable of handling most standard Internet protocols as well as numerous proprietary Microsoft protocols and formats. Microsoft Exchange Server provides web access for users to various components such as Outlook Web Access and Autodiscover. Autodiscover is a component that allows clients to automatically discover the Exchange settings for the client without requiring users to know specific server addresses.

  A reflected cross-site scripting vulnerability has been reported in Microsoft Exchange Server. The vulnerability is due to insufficient sanitization of incoming request parameters reflected in exception messages returned by the
server.

  A remote attacker can exploit this vulnerability by enticing a target user into clicking a malicious link. Successful exploitation could result in arbitrary script execution in the target user’s browser.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-41349.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  When any Exchange module receives an HTTP request, it is eventually handled by the OnPostAuthorizeInternal() method of the ProxyModule class in Microsoft.Exchange.FrontEndHttpProxy.dll. In the case the request is not authenticated, the SelectHandlerForUnauthenticatedRequest() method is then called which checks the value of the HttpProxy.ProtocolType property to determine which module the request was received by and decide which specific ProxyRequestHandler class to instantiate in order to handle the request. In the case that the request is received by the Autodiscover module (i.e. the request-URI begins with “/autodiscover”) HttpProxy.ProtocolType is set to “Autodiscover” and as a result SelectHandlerForUnauthenticatedRequest() creates an AutodiscoverProxyRequestHandler object as the handler for the request.

  Once the handler is chosen, the Run() method of the ProxyRequestHandler object is called which applies the handler to the HttpContext object for the request with the RemapHandler() method. The request is then processed with the BeginProcessRequest() method which queues a call to the BeginCalculateTargetBackEnd() method in the thread pool. BeginCalculateTargetBackEnd() calls InternalBeginCalculateTargetBackEnd() which attempts to resolve the anchor mailbox location for the request. The resolution is performed by first calling TryDirectTargetCalculation(), which returns null because this is the default method behaviour and the method is not overridden by AutodiscoverRequestHandler or any of its parent classes. InternalBeginCalculateTargetBackEnd() then calls ResolveAnchorMailbox() which is overridden in AutodiscoverRequestHandler and its parent classes EwsAutodiscoverProxyRequestHandler and BEServerCookieProxyRequestHandler.

  AutodiscoverRequestHandler.ResolveAnchorMailbox() only handles autodiscover requests with a request-URI containing “/wssecurity/x509cert” and otherwise calls EwsAutodiscoverProxyRequestHandler.ResolveAnchorMailbox(). This method inspects the request-URI to see if it corresponds to a specific type of autodiscover request. If the request path ends with “/autodiscover.json” it is considered an “autodiscover V2 preview request” and if this is the case, an explicit logon address is retrieved from the Email HTTP query, form field, or cookie value. When attempting to retrieve the value from HTML form fields, the ValidateHttpValueCollection() method is called to validate the form fields. In turn, this method calls ValidateString() on each form field.

  Each field is checked by calling System.Web.Util.RequestValidator.IsValidRequestString(), which calls System.Web.CrossSiteScriptingValidation.IsDangerousString() with the form field value. This method considers the value dangerous if it contains either (1) ‘<' followed by a letter, '!', '/', or '?'; or (2) the sequence "&#". If the form field value is considered dangerous, the ValidateString() method returns an HttpRequestValidationException exception. This exception's message contains the form name and its truncated value.

  If an HttpRequestValidationException exception is thrown, it is caught by the method BeginCalculateTargetBackEnd() and the exception is handled by HandleBackEndCalculationException(). This exception is eventually handled by the method HandleHttpException(), which returns the exception message as the HTTP response, without encoding the message contents.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must be able to deliver a malicious URL to the target user.

Triggering Conditions:

  An attacker entices a user to open a page that redirects the user to a malicious URL. The vulnerability is triggered when the server parses the crafted request and returns a page containing injected JavaScript code to the target user’s browser.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15711 Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-41349)

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Upgrading to a version unaffected by the vulnerability.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Microsoft Security Bulletin Coverage for November 2021

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 254: Malformed-File exe.MP_220

CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability
ASPY 253: Malformed-File xls.MP_74

CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability
ASPY 252: Malformed-File html.MP_111

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow
There are no known exploits in the wild.
CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode
There are no known exploits in the wild.
CVE-2021-41356 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41367 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41370 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41372 Power BI Report Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41373 FSLogix Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42283 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42300 Azure Sphere Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.