Microsoft Exchange zero-days

Summary

Microsoft is impacted by 4 zero day vulnerabilities that can be exploited remotely to execute arbitrary code. The vulnerabilities were disclosed by Trend micro zero day initiative on 7 and 8 September.

• ZDI-23-1578 (CVSS score 7.5 High) – A remote code execution (RCE) flaw in the ‘ChainedSerializationBinder’ class, where user data isn’t adequately validated, allowing attackers to deserialize untrusted data. Successful exploitation enables an attacker to execute arbitrary code as ‘SYSTEM,’ the highest level of privileges on Windows.
• ZDI-23-1579 (CVSS score 7.1 High) – Located in the ‘DownloadDataFromUri’ method, this flaw is due to insufficient validation of a URI before resource access. Attackers can exploit it to access sensitive information from Exchange servers.
• ZDI-23-1580 (CVSS score 7.1 High) – This vulnerability, in the ‘DownloadDataFromOfficeMarketPlace’ method, also stems from improper URI validation, potentially leading to unauthorized information disclosure.
• ZDI-23-1581 (CVSS score 7.1 High) – Present in the CreateAttachmentFromUri method, this flaw resembles the previous bugs with inadequate URI validation, again, risking sensitive data exposure.

Recommendations

ZDI-23-1578 has been fixed in the August Security Update. For ZDI-23-1579, ZDI-23-1580, ZDI-23-1581 prior access to the email credentials is required. The other recommendation is to restrict application interaction.