Microsoft Security Bulletin MS15-064 - Important
Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3062157)
Published: June 9, 2015
Version: 1.0
Executive Summary
This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.
This security update is rated Important for all supported editions of Microsoft Exchange Server 2013. For more information, see the Affected Software section.
The security update addresses the vulnerabilities by:
- Modifying how Exchange web applications manage same-origin policy
- Modifying how Exchange web applications manage user session authentication
- Correcting how Exchange web applications sanitize HTML strings
For more information about the vulnerabilities, see the Vulnerability Information section.
For more information about this document, see Microsoft Knowledge Base Article 3062157.
Affected Software
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
| Software | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
|---|---|---|---|
| Microsoft Server Software | |||
| Microsoft Exchange Server 2013 Service Pack 1 (3062157) | Elevation of Privilege | Important | None |
| Microsoft Exchange Server 2013 Cumulative Update 8 (3062157) | Elevation of Privilege | Important | None |
Update FAQ
Does this update contain any non-security related changes to functionality?
No, Exchange Server 2013 Security Updates only contain fixes for the issue(s) identified in the security bulletin.
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.
| Vulnerability Severity Rating and Maximum Security Impact by Affected Software | ||||
|---|---|---|---|---|
| Affected Software | Exchange Server-Side Request Forgery Vulnerability - CVE-2015-1764 | Exchange Cross-Site Request Forgery Vulnerability - CVE-2015-1771 | Exchange HTML Injection Vulnerability - CVE-2015-2359 | Aggregate Severity Rating |
| Microsoft Server Software | ||||
| Microsoft Exchange Server 2013 Service Pack 1 (3062157) | ImportantInformation Disclosure | ImportantElevation of Privilege | Not applicable | Important |
| Microsoft Exchange Server 2013 Cumulative Update 8 (3062157) | ImportantInformation Disclosure | ImportantElevation of Privilege | ImportantInformation Disclosure | Important |
Vulnerability Information
Exchange Server-Side Request Forgery Vulnerability - CVE-2015-1764
An information disclosure vulnerability exists in Microsoft Exchange web applications when Exchange does not properly manage same-origin policy. An attacker could exploit this Server-Side Request Forgery (SSRF) vulnerability by using a specially crafted web application request. An attacker who successfully exploited this vulnerability could then:
- Scan and attack systems behind a firewall that are normally inaccessible from the outside world
- Enumerate and attack services that are running on these host systems
- Exploit host-based authentication services
Exchange web applications are primarily at risk from this vulnerability. The update addresses the vulnerability by modifying how Exchange web applications manage same-origin policy.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Exchange Cross-Site Request Forgery Vulnerability - CVE-2015-1771
An elevation of privilege vulnerability exists in Microsoft Exchange web applications when Exchange does not properly manage user sessions. For this Cross-site Request Forgery(CSRF/XSRF) vulnerability to be exploited, the victim must be authenticated to (logged on) the target site.
In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted webpage that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message. An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read, use the victim's identity to take actions on the web application on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim.
Exchange web applications are primarily at risk from this vulnerability. The update addresses the vulnerability by modifying how Exchange web applications manage user session authentication.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Exchange HTML Injection Vulnerability - CVE-2015-2359
An information disclosure vulnerability exists in Microsoft Exchange web applications when Exchange does not properly sanitize HTML strings. To exploit this HTML Injection vulnerability an attacker must have the ability to submit a specially crafted script to a target site that uses HTML sanitization. Where the vulnerability exists, in specific situations the specially crafted script is not properly sanitized. The attacker-supplied script could then be run in the security context of a user who views the malicious content.
For HTML injection attacks, this vulnerability requires that a user must be visiting a compromised site for any malicious action to occur. For instance, after an attacker has successfully submitted a specially crafted script to a target site that use HTML sanitization, any webpage on that site that contains the specially crafted script is a potential vector for persistent cross-site scripting attacks. When a user visits a webpage that contains the specially crafted script, the script could be run in the security context of the user.
Systems where users connect to a site that sanitizes HTML strings, such as workstations or terminal servers, are primarily at risk. The update addresses the vulnerability by correcting how Exchange web applications sanitize HTML strings.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Security Update Deployment
For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.
Acknowledgments
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (June 9, 2015): Bulletin published.
Page generated 2015-06-03 12:16Z-07:00.