Trend Micro’s Zero Day Initiative (ZDI) has unveiled four zero-day vulnerabilities in Microsoft Exchange that pose serious security risks. These vulnerabilities, reported to Microsoft on September 7th and 8th, 2023, are yet to be patched by the IT giant, despite acknowledging the issues. ZDI has opted for public disclosure, in line with its responsible disclosure policy.
Here is the list of vulnerabilities exposed by ZDI:
- ZDI-23-1578 – ChainedSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability in Microsoft Exchange: This flaw enables remote attackers to execute arbitrary code on vulnerable Microsoft Exchange installations. Authentication is required for exploitation. The issue stems from inadequate validation of user-supplied data, potentially leading to untrusted data deserialization. An attacker can exploit this to execute code in the SYSTEM context.
- ZDI-23-1579 – DownloadDataFromUri Server-Side Request Forgery Information Disclosure Vulnerability in Microsoft Exchange: This vulnerability allows remote attackers to disclose sensitive information in affected installations of Microsoft Exchange. Authentication is needed for exploitation. The problem lies in the DownloadDataFromUri method, where improper URI validation leads to resource access. This can be leveraged to reveal information within the Exchange server.
- ZDI-23-1580 – DownloadDataFromOfficeMarketPlace Server-Side Request Forgery Information Disclosure Vulnerability in Microsoft Exchange: This flaw permits remote attackers to expose sensitive data on vulnerable Microsoft Exchange installations. Authentication is required for exploitation. The specific issue resides in the DownloadDataFromOfficeMarketPlace method, where inadequate URI validation facilitates resource access. An attacker can exploit this to disclose information within the Exchange server.
- ZDI-23-1581 – CreateAttachmentFromUri Server-Side Request Forgery Information Disclosure Vulnerability in Microsoft Exchange: This vulnerability enables remote attackers to reveal sensitive information in vulnerable Exchange installations. Authentication is necessary for exploitation. The flaw is associated with the CreateAttachmentFromUri method, where insufficient URI validation allows access to resources. An attacker can use this to uncover information within the Exchange server.
These vulnerabilities were discovered by Piotr Bazydlo of Trend Micro Zero Day Initiative, emphasizing the critical need for prompt mitigation.