Microsoft Exchange Server has had a tough 2021, with a series of vulnerability exploits endangering users on the platform. It seems the service is facing another new security threat. A security researcher from Guardicore found a major bug in Exchange’s Autodiscover protocol, resulting in nearly 100,000 login names and passwords leaking.
Autodiscover is a protocol in Microsoft Exchange Server that gives users the ability to efficiently configure apps with just a password and email address. Guardicore’s Amit Serper says a flaw in Exchange means tens of thousands of unique login information for Windows domains has leaked online.
“This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire,” Serper points out in a technical report.
“Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs [top-level domains],” he adds.
Because of the vulnerability, the Autodiscover protocol leaks domain web requests if the domain is outside the user domain but with the same TLD. Guardicore found a batch of domains and researchers were able to change them to catch clear-text account information for users.
Leak and Response
At the time of writing, the security research company has found 11 Autodiscover domains with TLD around the world. These domains were changes to tap into a server controlled by Guardicore. The company then used them as a proof of concept. The Autodiscover domains comes from:
- Autodiscover.com.br – Brazil
- Autodiscover.com.cn – China
- Autodiscover.com.co – Columbia
- Autodiscover.es – Spain
- Autodiscover.fr – France
- Autodiscover.in – India
- Autodiscover.it – Italy
- Autodiscover.sg – Singapore
- Autodiscover.uk – United Kingdom
That group of domains was enough for a huge leak to happen, with 372,072 Windows domain credentials, 96,671 of them unique, to leak from popular apps like Microsoft Outlook. In fact, any app that sync with Microsoft Exchange Server are at risk.
A little war of words between Microsoft and Guardicore has emerged since the disclosure. Speaking to Ars Technica last week, Microsoft Senior Director Jeff Jones said the company publically disclosed the vulnerability without telling Microsoft.
Guardicore contests this and says there was nothing to disclose because the flaw has been known for years. The company says the difference is “We were just able to exploit it at a massive scale.”
Microsoft has yet to respond about any fix.
Tip of the day: Did you know that as a Windows 10 admin you can restrict user accounts by disabling settings or the control panel? Our tutorial shows how to disable and enable them via Group Policy and the registry.