How could an attacker exploit this vulnerability? An authenticated attacker could achieve exploitation by using a PowerShell remoting session to the server. According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is set to Network because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is set to Low because an attacker does not require significant prior knowledge of the cluster/system and can achieve repeatable success when attempting to exploit this vulnerability. Is there anything that I should be aware of if I'm running a non-English operating system and version of Exchange server? Yes, an issue has been discovered with the non-English August updates of Exchange Server and you should postpone installing these updates. The script protecting customers from the vulnerability documented by CVE-2023-21709 can be run to protect against the vulnerability without installing the August updates. Microsoft recommends running the script. August 15, 2023 Update: The known issue affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends installing the updated packages as soon as possible. Please see the Exchange Blog for more information. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.
Piotr Bazydlo (@chudypb) of <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>, <a href="https://twitter.com/arudd1ck">Andrew Ruddick</a> with Microsoft Security Response Center