Despite Exchange 2010 not being affected by the #privexchange PoC in my testing, Microsoft has listed Exchange 2010 in their new advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007 …
Perhaps they know of a variant that affects 2010.
Still no update at this time, so be sure to apply workarounds!
-
-
It also states "An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server." This is worded in a way that implies that perhaps the impact is that User A can read the email of User B. It can get you DOMAIN ADMIN!
Show this thread -
And you might ask yourself: How did
@msftsecresponse advisory https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007 … get published without mentioning CVE-2019-0686? Story time: At some point, MSRC stopped using bulletin identifiers like MS08-067, and started using CVE IDs instead. This is a good thing, right?Show this thread -
Not so fast... When this change happened, MSRC adopted the incorrect mindset that a CVE ID is used to refer to a software update, rather than a vulnerability. Because no software update has been released for Exchange, Microsoft has not yet publicly referred to it by its CVE ID.
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.