Security researchers have discovered a design flaw in a function of the Microsoft Exchange server that can be misused to gather Windows domain and application credentials from users. Microsoft is now examining the case.
The bug discovered by the security company Guardicore is in the Microsoft Autodiscover log. This is a function of the Exchange e-mail server that enables the e-mail clients to automatically detect e-mail servers, transmit credentials and then receive the correct configurations. Now there is a bug, or rather a so-called design error, in Autodiscover, which can be used to pass on login information to unauthorized persons.
Simplification carries the risk
The security researchers explain how it all works and where the problem lies: The protocol is an important part of Exchange e-mail servers, as it offers administrators an easy way to ensure that clients are using the correct SMTP, IMAP, Use LDAP, WebDAV, and other settings. To get these automatic configurations, email clients typically ping a set of predefined URLs derived from the user’s email address domain:
The problem now is that this autodiscovery mechanism uses a “back-off” procedure if it does not find the Autodiscover endpoint of the Exchange server on the first attempt. This “back-off” mechanism is the culprit of the leak. Guardicore has now run honeypots on servers to understand the extent of the problem.
For more than four months, from April to August 2021, according to Guardicore, the servers then received hundreds of requests with thousands of credentials from users who tried to set up their email clients but whose email clients had the correct Autodiscover Could not find your employer’s endpoint. “The interesting problem with a large chunk of the requests we received was that there was no attempt on the client-side to verify that the resource was available or even existed on the server before sending an authenticated request “, explains Guardicore in the now published report.
“Guardicore captured 372,072 Windows domain logins and 96,671 unique logins from various applications such as Microsoft Outlook,” the researcher said.
When asked by The Record, Microsoft commented on Guardicore’s findings: “We are actively investigating the problem and will take appropriate measures to protect our customers. We are committed to coordinated vulnerability disclosure, an industry-standard, collaborative approach that avoids unnecessary risks for customers before issues are made public. Unfortunately, we were not notified of this issue until the researcher’s marketing team presented it to the media, so we only learned of the allegations today. “
Manager at Research Snipers, RS-NEWS, Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.