Despite Exchange 2010 not being affected by the #privexchange PoC in my testing, Microsoft has listed Exchange 2010 in their new advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007 …
Perhaps they know of a variant that affects 2010.
Still no update at this time, so be sure to apply workarounds!
According to ADV190007 and the 2 follow-up updates for CVE-2019-0724 and CVE-2019-0686, Microsoft Exchange 2010 is affected. In my (and others') testing, 2010 is not affected. But the 3 above publications from Microsoft are so full of errors that I can't justify updating the VU#.
-
-
I've finally received info from Microsoft and have updated the vul note. CVE-2019-0686 - Exchange attempts to NTLM authenticate PushSubscriptionRequest() targets CVE-2019-0724 - Exchange has too many privileges The PoC doesn't work with 2010, but MS changed its behavior anyway.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.