Microsoft Security Bulletin MS15-026 - Important

Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3040856)

Published: March 10, 2015

Version: 1.0

Executive Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2013. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Exchange Server sanitizes page content in Outlook Web App and by correcting the way Exchange validates meeting organizer authenticity when accepting, scheduling, or modifying meeting requests in Exchange calendars. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this document, see Microsoft Knowledge Base Article 3040856.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Software Maximum Security Impact Aggregate Severity Rating Updates Replaced
Microsoft Server Software
Microsoft Exchange Server 2013 Service Pack 1 (3040856) Elevation of Privilege Important None
Microsoft Exchange Server 2013 Cumulative Update 7 (3040856) Elevation of Privilege Important None

Update FAQ

**Does this update contain any non-security related changes to functionality? ** No, Exchange Server 2013 Security Updates only contain fixes for the issue(s) identified in the security bulletin.

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software OWA Modified Canary Parameter Cross Site Scripting Vulnerability - CVE-2015-1628 ExchangeDLP Cross Site Scripting Vulnerability - CVE-2015-1629 Audit Report Cross Site Scripting Vulnerability - CVE-2015-1630 Exchange Forged Meeting Request Spoofing Vulnerability - CVE-2015-1631 Exchange Error Message Cross Site Scripting Vulnerability - CVE-2015-1632 Aggregate Severity Rating
Microsoft Server Software
Microsoft Exchange Server 2013 Service Pack 1 (3040856) Important Elevation of Privilege Important Elevation of Privilege Important Elevation of Privilege Important Spoofing Important Elevation of Privilege Important
Microsoft Exchange Server 2013 Cumulative Update 7 (3040856) Important Elevation of Privilege Important Elevation of Privilege Important Elevation of Privilege Important Spoofing Important Elevation of Privilege Important

Vulnerability Information

Multiple OWA XSS Vulnerabilities

Elevation of privilege vulnerabilities exist when Microsoft Exchange Server does not properly sanitize page content in Outlook Web App. An attacker could exploit these vulnerabilities by modifying certain properties within Outlook Web App and then convincing users to browse to the targeted Outlook Web App site. An attacker who successfully exploited these vulnerabilities could run script in the context of the current user. The script could then, for example, use the victim's identity to take actions on the affected Outlook Web App site on behalf of the victim with the same permissions as the current user. Any system that is used to access an affected version of Outlook Web App would potentially be at risk to attack. The update addresses the vulnerabilities by correcting how Exchange Server sanitizes page content in Outlook Web App.

For these vulnerabilities to be exploited, a user must click a specially crafted URL that takes the user to a targeted Outlook Web App site.

In an email attack scenario, an attacker could exploit the vulnerabilities by sending an email message containing the specially crafted URL to the user of the targeted Outlook Web App site and convincing the user to click the specially crafted URL.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL to the targeted Outlook Web App site that is used to attempt to exploit these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit these vulnerabilities. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly Disclosed Exploited
OWA Modified Canary Parameter Cross Site Scripting Vulnerability CVE-2015-1628 No No
ExchangeDLP Cross Site Scripting Vulnerability CVE-2015-1629 No No
Audit Report Cross Site Scripting Vulnerability CVE-2015-1630 No No
Exchange Error Message Cross Site Scripting Vulnerability CVE-2015-1632 No No

Mitigating Factors

Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds

  • Workaround for the OWA Modified Canary Parameter Cross Site Scripting Vulnerability - CVE-2015-1628

    Use a Web Application Firewall (WAF) to block requests to

    <host>/owa/?ae=Item&t;=AD.RecipientType.User&id;=<id>
    

    where the cookie "X-OWA-Canary" contains a double quote ("), HTML markup, or JavaScript.

  • Workaround for the Exchange Error Message Cross Site Scripting Vulnerability - CVE-2015-1632
    Use a Web Application Firewall (WAF) to block requests to

    </id></host><host>/errorfe.aspx?httpCode=500&ts;=130560784095001947&be;=DB4PR07MB0703&authError;=LiveConfigurationHRESULTException&msg;=GenericAuthErrorMessage&msgParam;=<param>
    

    where the query parameter "msgParam" contains a javascript URI.

Exchange Forged Meeting Request Spoofing Vulnerability - CVE-2015-1631

A spoofing vulnerability exists in Exchange Server when Exchange fails to properly validate meeting organizer identity when accepting or modifying meeting requests. An attacker who successfully exploited this vulnerability could then use the vulnerability to schedule or modify meetings while appearing to originate from a legitimate meeting organizer. Customers using affected versions of Exchange Server are at risk for this vulnerability. The update addresses the vulnerability by correcting the way Exchange validates meeting organizer authenticity when accepting, scheduling, or modifying meeting requests in Exchange calendars.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (March 10, 2015): Bulletin published.

Page generated 2015-03-04 13:08Z-08:00.