Alex - stock.adobe.com
Autodiscover flaw in Microsoft Exchange leaking credentials
Guardicore found that exploiting a design flaw in Autodiscover allowed it to capture more than 372,000 Windows domain credentials and nearly 97,000 unique application credentials.
A flaw in Autodiscover, a protocol utilized in Microsoft Exchange, is responsible for a massive data leak of various Windows and Microsoft credentials, according to new Guardicore research.
Autodiscover is used by Exchange to automatically configure client applications like Microsoft Outlook. In research published Wednesday, Amit Serper, area vice president of security research for enterprise security vendor Guardicore, wrote in the company's post dedicated to the vulnerability that Autodiscover "has a design flaw that causes the protocol to 'leak' web requests to Autodiscover domains outside of the user's domain," but in the same top-level domain (TLD) -- for example, Autodiscover.com.
Guardicore researchers then tested the flaw.
"Guardicore Labs acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server that we control," Serper wrote in the blog post. "Soon thereafter, we detected a massive leak of Windows domain credentials that reached our server."
Examples of domains that the vendor purchased included Autodiscover.com.br, Autodiscover.com.cn and Autodiscover.com.co; the post included substantial technical detail regarding how the domains were abused.
From April 16 to Aug. 25, Guardicore was able to exploit the flaw to capture 372,072 Windows domain credentials and 96,671 unique credentials "that leaked from various applications such as Microsoft Outlook, mobile email clients and other applications interfacing with Microsoft's Exchange server," Serper wrote.
The Autodiscover flaw is not a new issue; Serper wrote that Shape Security first revealed the core vulnerabilities in 2017 and presented the findings at Black Hat Asia that year. At the time, the vulnerabilities -- CVE-2016-9940 and CVE-2017-2414 -- were found to only affect email clients on mobile devices. "The vulnerabilities disclosed by Shape Security were patched, yet, here we are in 2021 with a significantly larger threat landscape, dealing with the exact same problem only with more third-party applications outside of email clients," Serper wrote.
The post presented two mitigations: one for the general public and one for software developers and vendors.
For the general public using Exchange, Guardicore recommended users block Autodiscover domains in their firewalls. Serper also said that when configuring Exchange setups, users should "make sure that support for basic authentication is disabled." Serper continued, saying that "using HTTP basic authentication is the same as sending a password in clear text over the wire."
Developers, meanwhile, should make sure they are not letting the Autodiscover protocol "fail upwards."
"Make sure that when you are implementing the Autodiscover protocol in your product you are not letting it 'fail upwards,' meaning that domains such as 'Autodiscover.' should never be constructed by the 'back-off' algorithm," Serper wrote.
Disclosure dispute
Microsoft criticized Guardicore for not following the vulnerability disclosure process before publishing its research. The tech giant shared the following statement with SearchSecurity, attributed to Microsoft senior director Jeff Jones.
"We are actively investigating and will take appropriate steps to protect customers," Jones wrote. "We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today."
Serper responded to this statement, which was sent to other media outlets, in a tweet Wednesday evening.
"My report clearly cites research from 2017 presenting this issue: see this paper from 2017, as was presented in Black Hat Asia 2017. If this was an 0day, sure. This is a 1460day, at least. Saying that Microsoft 'didn't know about it' is 'untrue,'" he said.
SearchSecurity contacted Guardicore for additional comments and will update this post, should the company respond.
Alexander Culafi is a writer, journalist and podcaster based in Boston.