Microsoft Security Bulletin MS14-075 - Important

Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)

Published: December 9, 2014 | Updated: December 12, 2014

Version: 3.0

Executive Summary

This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by ensuring that Outlook Web App properly validates request tokens and by ensuring that URLs are properly sanitized. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this document, see Microsoft Knowledge Base Article 3009712.

 

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Software Maximum Security Impact Aggregate Severity Rating Updates Replaced
Microsoft Server Software
Microsoft Exchange Server 2007 Service Pack 3  (2996150) Elevation of Privilege Important 2903911 in MS13-105
Microsoft Exchange Server 2010 Service Pack 3  (2986475) Elevation of Privilege Important 2905616 in MS13-105
Microsoft Exchange Server 2013 Service Pack 1 (3011140) Elevation of Privilege Important None
Microsoft Exchange Server 2013 Cumulative Update 6  (3011140) Elevation of Privilege Important None

 

Update FAQ

Does this update contain any non-security related changes to functionality?
No, Exchange Server 2013 Security Updates only contain fixes for the issue(s) identified in the security bulletin.

Update Rollups for Exchange Server 2007 and Exchange Server 2010 may contain additional new fixes. Customers who have not remained current in their deployment of the cumulative update rollups may experience new functionality after applying this update.

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the December bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Outlook Web App Token Spoofing Vulnerability - CVE-2014-6319 OWA XSS Vulnerability - CVE-2014-6325 OWA XSS Vulnerability - CVE-2014-6326 Exchange URL Redirection Vulnerability - CVE-2014-6336 Aggregate Severity Rating
Microsoft Server Software
Microsoft Exchange Server 2007 Service Pack 3  Important \ Spoofing Not applicable Not applicable Not applicable Important 
Microsoft Exchange Server 2010 Service Pack 3  Important  \ Spoofing Not applicable Not applicable Not applicable Important 
Microsoft Exchange Server 2013 Service Pack 1 Important \ Spoofing Important \ Elevation of Privilege Important \ Elevation of Privilege Important \ Spoofing Important 
Microsoft Exchange Server 2013 Cumulative Update 6  Important \ Spoofing Important\   Elevation of Privilege Important \ Elevation of Privilege Important \ Spoofing Important 

 

Vulnerability Information

Outlook Web App Token Spoofing Vulnerability - CVE-2014-6319

A token spoofing vulnerability exists in Exchange Server when Microsoft Outlook Web App (OWA) fails to properly validate a request token. An attacker who successfully exploited this vulnerability could then use the vulnerability to send email that appears to come from a user other than the attacker (e.g., from a trusted source). Customers who access their Exchange Server email via Outlook Web App are primarily at risk from this vulnerability. The update addresses the vulnerability by ensuring that Outlook Web App properly validates request tokens.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued. The update addresses the vulnerability by ensuring that Outlook Web App properly validates request tokens.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view attacker controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Multiple OWA XSS Vulnerabilities

Elevation of privilege vulnerabilities exist when Microsoft Exchange Server does not properly validate input. An attacker who successfully exploited these vulnerabilities could run script in the context of the current user. An attacker could, for example, read content that the attacker is not authorized to read, use the victim's identity to take actions on the Outlook Web App site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim. Any system that is used to access an affected version of Outlook Web App would potentially be at risk to attack. The update addresses the vulnerabilities by ensuring that URLs are properly sanitized.

For these vulnerabilities to be exploited, a user must click a specially crafted URL that takes the user to a targeted Outlook Web App site.

In an email attack scenario, an attacker could exploit the vulnerabilities by sending an email message containing the specially crafted URL to the user of the targeted Outlook Web App site and convincing the user to click the specially crafted URL.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL to the targeted Outlook Web App site that is used to attempt to exploit these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit these vulnerabilities. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly Disclosed Exploited
OWA XSS Vulnerability CVE-2014-6325 No No
OWA XSS Vulnerability CVE-2014-6326 No No

 

Mitigating Factors

Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds

Microsoft has not identified any workarounds for these vulnerabilities.

Exchange URL Redirection Vulnerability - CVE-2014-6336

A spoofing vulnerability exists in Microsoft Exchange when Microsoft Outlook Web App (OWA) fails to properly validate redirection tokens. An attacker who successfully exploited this vulnerability could redirect a user to an arbitrary domain from a link that appears to originate from the user’s domain. An attacker could use the vulnerability to send email that appears to come from a user other than the attacker. Customers who access their Exchange Server email via Outlook Web App are primarily at risk from this vulnerability. The update addresses the vulnerability by ensuring that URLs are properly sanitized.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued. The update addresses the vulnerability by ensuring that URLs are properly sanitized.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • To generate the malicious link, an attacker must already be an authenticated Exchange user and be able to send email messages.
  • The malicious link could be sent in an email, but the attacker would have to convince the user to open the link in order to exploit the vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (December 9, 2014): Bulletin published.
  • V2.0 (December 10, 2014): Revised bulletin to remove Download Center link for Microsoft security update 2986475 for Microsoft Exchange Server 2010 Service Pack 3 to address a known issue with the update. Microsoft is working to address the issue, and will update this bulletin when more information becomes available. Microsoft has removed update 2986475 and recommends that customers uninstall update 2986475 if they have already installed it.
  • V3.0 (December 12, 2014): Rereleased bulletin to announce the reoffering of Microsoft security update 2986475 for Microsoft Exchange Server 2010 Service Pack 3. The rereleased update addresses a known issue in the original offering. Customers who uninstalled the original update should install the updated version of 2986475 at the earliest opportunity.

Page generated 2015-01-14 11:56Z-08:00.