Microsoft, ZDI disagree over Exchange zero-day flaws

Microsoft and Trend Micro's Zero Day Initiative disagree over four zero-day vulnerabilities the latter disclosed last week, sparking uncertainty about the potential risks.

ZDI, a division of Trend Micro that researches vulnerabilities and submits flaws to vendors on behalf of researchers, disclosed on Nov. 2 four zero-day vulnerabilities in on-premises versions of Microsoft Exchange. They include deserialization and remote code execution flaw ZDI-23-1578; server-side request forgery flaw ZDI-23-1581; SSRF flaw ZDI-23-1580; and SSRF flaw ZDI-23-1579. All four were first discovered in early September.

SSRF flaws let an attacker exploit a server issue to read or download sensitive data they shouldn't otherwise have access to. In a blog post dedicated to the SSRF issues, author and ZDI researcher Piotr Bazydło emphasized ZDI-23-1581 in particular, noting that it lets authenticated, remote attackers disclose sensitive information from a target's Exchange inbox. Full technical details and a proof of concept are available in the post.

"As the attacker can abuse this SSRF to retrieve the content of the response, I thought it was a good finding. However, Microsoft did not agree," he wrote.

Bazydło included Microsoft's response to ZDI's disclosure of this issue, which stated that the company "has investigated this issue and concluded that this does not require immediate servicing. We have shared your report with the team responsible for maintaining the product or service and they will consider a potential future fix, taking the appropriate action as needed to help keep customers protected."

In turn, as ZDI did not know when or if the issue would be fixed, it decided to publish a blog post for four flaws that apparently do not have complete fixes available at this time. For all four flaws, ZDI recommended on their dedicated advisory pages, "Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application."

However, for one of the issues, remote code execution flaw ZDI-23-1578, Microsoft told cybersecurity publication SecurityWeek that it had already been patched via August security updates.

Asked about Microsoft's response, ZDI head of threat awareness Dustin Childs told TechTarget Editorial he felt Microsoft's response to ZDI-23-1578 to be "a bit misleading" because Microsoft's fix only covers default configurations of Exchange; ZDI's bug report covered non-default configuration scenarios. "In my mind, that means many Exchange servers are still vulnerable. And now their admins think they are safe when they may not be," he said.

Moreover, Childs argued Microsoft was downplaying the SSRF bugs because they require the threat actor to be authenticated. "We believe these to still be worth addressing in a security update, as many Exchange servers have a compromised user or two who can authenticate, and authentication bypasses are also a thing." He added that while he understands their point of view, "I wish they would be more transparent in their responses."

TechTarget Editorial contacted Microsoft about Childs' concerns. In response, a Microsoft spokesperson said the tech giant has confirmed "this is not a vulnerability."

"To make the server vulnerable, an administrator would have to explicitly disable a feature flag added in the August security update. This is not a practical or likely scenario," the spokesperson said.

In addition, the spokesperson shared the following statement.

We appreciate the work of this finder submitting these issues under coordinated vulnerability disclosure, and we're committed to taking the necessary steps to help protect customers. We've reviewed these reports and have found that they have either already been addressed or do not meet the bar for immediate servicing under our severity classification guidelines, and we will evaluate addressing them in future product versions and updates as appropriate.

Finally, the spokesperson shared details regarding Microsoft's thinking behind all four flaws disclosed by ZDI last week.

Regarding ZDI-23-1578, Microsoft said customers who have applied August Security Updates are already protected. For ZDI-23-1581, "The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege." For ZDI-23-1579, the spokesperson noted the post-authentication requirement. And for ZDI-23-1580, the spokesperson said, "The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information."

On the same day as ZDI's disclosures last week, Microsoft announced the Secure Future Initiative, the tech giant's plan to better address software and vulnerability issues. As part of the company's announcement, Microsoft president Brad Smith said, "We also will encourage more transparent reporting in a more consistent manner across the tech sector."

The announcement of the Secure Future Initiative followed months of vocal public criticism of Microsoft's handling of reported vulnerabilities, particularly in the company's cloud services. In an August article, infosec executives and professionals, including Childs, told TechTarget Editorial they felt Microsoft was failing the security industry by downplaying and silent patching vulnerabilities.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.