According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server? Yes, the attacker must be authenticated with LAN-access and have credentials for a valid Exchange user. How could an attacker exploit this vulnerability? An authenticated attacker could achieve exploitation by using a PowerShell remoting session to the server. According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability? An authenticated attacker could exploit this vulnerability with LAN access.
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative, Anna @little_pwner and @Voorivex Academy