CVE-2023-21709: Microsoft Exchange Server Elevation of Privilege Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Aug

Released

2023-08-08

Last Updated

2023-10-10

EPSS Score

3.04% (percentile: 86.7%)

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would be able to login as another user successfully. How could an attacker exploit this vulnerability? In a network-based attack, an attacker could brute force user account passwords to log in as that user. Microsoft encourages the use of strong passwords that are more difficult for an attacker to brute force. Why is the severity for this CVE rated as Important, but the CVSS score is 9.8? The Microsoft proprietary severity rating does not align with the CVSS scoring system. In this case, the severity rating of Important (rather than Critical) reflects the fact that brute-force attacks are unlikely to succeed against users with strong passwords. The CVSS scoring system doesn't allow for this type of nuance. Update October 10-10-2023 Is there new information available regarding this CVE? Yes, CVE-2023-36434 which was published October 10, 2023 addresses a vulnerability in Windows IIS that completely mitigates this Exchange vulnerability. If you have applied the additional steps documented in the following FAQ, please read the Exchange Blog for details on what to do now regarding this vulnerability as well as what to do for the new Windows IIS vulnerability. Are there additional steps needed to protect against this vulnerability? Yes, in addition to installing the updates a script must be run. Alternatively you can accomplish the same by running commands from the command line in a PowerShell window or some other terminal. Follow the following steps: (Strongly recommended) Install Exchange Server 2016 or 2019 August SU (or later) Do one of the following: Apply the solution for the CVE automatically on your servers, run the CVE-2023-21709.ps1 script. You can find the script and the documentation here: https://aka.ms/CVE-2023-21709ScriptDoc. or Apply the solution for the CVE manually on each server, by running the following command from an elevated PowerShell

Affected Products (3)

Server Software

• Microsoft Exchange Server 2019 Cumulative Update 12
• Microsoft Exchange Server 2016 Cumulative Update 23
• Microsoft Exchange Server 2019 Cumulative Update 13

Security Updates (3)

• 5030524
• 5030524
• 5030524

Acknowledgments

Steve Walker with <a href="https://www.wcribma.org/">WCRIBMA</a>

Revision History

• 2023-08-08: Information published.
• 2023-08-09: Added FAQ regarding a new known issue in the August Exchange security updates.
• 2023-08-15: The known issue affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends installing the updated packages as soon as possible.
• 2023-08-17: Corrected security updates table. This is an informational change only.
• 2023-10-10: Added FAQ information. This is an informational change only.