CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2013-076

DATE(S) ISSUED:
08/13/2013 08/15/2013 - Updated

SUBJECT:
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (MS13-061)

ORIGINAL OVERVIEW:

Three vulnerabilities have been discovered in Microsoft Exchange Server that could allow for remote code execution or cause Denial of Service (DoS) conditions. Microsoft Exchange Server provides email, calendar and contacts for corporate environments. Successful exploitation of two of the vulnerabilities could allow an attacker to run arbitrary code on the affected Microsoft Exchange Server. Exploitation of the other vulnerability could result in a Denial of Service (DoS) condition.

August 15 - UPDATED OVERVIEW:
Microsoft has removed the update for MS13-061 from distribution. The patch is reportedly causing errors in Microsoft Exchange Server 2013 due to the Exchange Search Host Controller being renamed. This will cause indexing errors on the server.


SYSTEMS AFFECTED:

  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013

 

UPDATED SYSTEMS AFFECTED:

  • Microsoft Exchange Server 2013

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:

Three vulnerabilities have been discovered in Microsoft Exchange Server. Two of the vulnerabilities, CVE-2013-2393 and CVE-2013-3776, occur because of the way the WebReady Document Viewing service parses files using the Oracle Outside In libraries. This issue exists due to vulnerabilities contained within the libraries themselves. MS Exchange Server WebReady Document viewing is a feature that allows Outlook Web Access (OWA) users to view attachments such as Microsoft Office documents within the browser. WebReady Document viewing is enabled by default. These vulnerabilities can allow an attacker to run code on the Windows Exchange Server under the context of the LocalService account. If disabled, OWA users may not be able to preview the content of email attachments. To exploit this vulnerability, an attacker must create a specially crafted file that is sent via e-mail to a user on a vulnerable version of Microsoft Exchange Server. When the user previews the document by clicking on the "Open as Webpage" link within OWA, the attacker's code runs within the privilege context of the LocalService account on the Microsoft Exchange Server. The LocalService account by default has limited system and file system privileges and sends only anonymous credentials over the network.

The third vulnerability, CVE-2013-3781, exists only in Exchange Server 2013 through the Data Loss Prevention (DLP) feature. This vulnerability could cause the affected Exchange server to become unresponsive if a user views a specially crafted file through Outlook Web Access, resulting in Denial of Service conditions.

August 15 - UPDATED DESCRIPTION:
Microsoft has removed the update for MS13-061 from distribution. The patch is reportedly causing errors in Microsoft Exchange Server 2013 due to the Exchange Search Host Controller being renamed. This will cause indexing errors on the server.

It should be noted that this issue is not known to effect Microsoft Exchange 2007 or Microsoft Exchange 2010.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Evaluate the need for WebReady Document viewing and disable if deemed non-essential.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to open un-trusted attachments from unknown or untrusted sources

August 15 - UPDATED RECOMMENDATIONS:
If you have already updated and are receiving errors, please refer to Knowledge Base Article 2879739. This article can be found at the following link:
http://support.microsoft.com/kb/2879739

If you have not updated, refer to the FAQ section of the security bulletin for recommended actions.
http://technet.microsoft.com/en-us/security/bulletin/ms13-061

REFERENCES:

Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms13-061

https://support.microsoft.com/kb/2876063

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2393
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3776
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3781

August 15 - UPDATED REFERENCES:

Microsoft:
http://support.microsoft.com/kb/2879739
http://technet.microsoft.com/en-us/security/bulletin/ms13-061