Until it is determined whether this attack can be relayed via WebDAV (i.e., via HTTP through your firewall even if it's blocking SMB), I would also disable the "Web Client" service on your Exchange server. /cc @wdormannhttps://twitter.com/certcc/status/1089570070693642240 …
IMO, the problem is because Exchange 2013 and later don't sign/seal the NTLM authentication request from the Exchange server. This allows an attacker to relay the request without needing to know the credentials of the Exchange server account.
-
-
The documented EWS PushSubscriptionRequest() function allows an Exchange mailbox owner to cause the Exchange server to make an HTTP request to an arbitrary web server. And it happens to attempt NTLM authentication while at it.
-
So the subscription request is originally HTTP with authentication? Not SMB?
- 1 more reply
New conversation -
-
-
This Tweet is unavailable.
-
Exchange 2013 and later don't sign the NTLM request that goes out over HTTP. Exchange 2010 *does* sign that request, and is therefore not affected. Why the change? Nobody knows.
End of conversation
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.