msrc_cve-2023-21709
Vulnerability from csaf_microsoft
Published
2023-08-08 07:00
Modified
2023-10-10 07:00
Summary
Microsoft Exchange Server Elevation of Privilege Vulnerability

Notes

Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Customer Action
Required. The vulnerability documented by this CVE requires customer action to resolve.



{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Steve Walker with \u003ca href=\"https://www.wcribma.org/\"\u003eWCRIBMA\u003c/a\u003e"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21709"
      },
      {
        "category": "self",
        "summary": "CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/2023/msrc_cve-2023-21709.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
    "tracking": {
      "current_release_date": "2023-10-10T07:00:00.000Z",
      "generator": {
        "date": "2025-01-01T01:58:31.362Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2023-21709",
      "initial_release_date": "2023-08-08T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-08-08T07:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2023-08-09T07:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Added FAQ regarding a new known issue in the August Exchange security updates."
        },
        {
          "date": "2023-08-15T07:00:00.000Z",
          "legacy_version": "2",
          "number": "3",
          "summary": "The known issue affecting the non-English August updates of Exchange Server has been resolved.  Microsoft recommends installing the updated packages as soon as possible."
        },
        {
          "date": "2023-08-17T07:00:00.000Z",
          "legacy_version": "2.1",
          "number": "4",
          "summary": "Corrected security updates table.  This is an informational change only."
        },
        {
          "date": "2023-10-10T07:00:00.000Z",
          "legacy_version": "2.2",
          "number": "5",
          "summary": "Added FAQ information. This is an informational change only."
        }
      ],
      "status": "final",
      "version": "5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c15.02.1118.037",
            "product": {
              "name": "Microsoft Exchange Server 2019 Cumulative Update 12 \u003c15.02.1118.037",
              "product_id": "3"
            }
          },
          {
            "category": "product_version",
            "name": "15.02.1118.037",
            "product": {
              "name": "Microsoft Exchange Server 2019 Cumulative Update 12 15.02.1118.037",
              "product_id": "12038"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Exchange Server 2019 Cumulative Update 12"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c15.01.2507.032",
            "product": {
              "name": "Microsoft Exchange Server 2016 Cumulative Update 23 \u003c15.01.2507.032",
              "product_id": "2"
            }
          },
          {
            "category": "product_version",
            "name": "15.01.2507.032",
            "product": {
              "name": "Microsoft Exchange Server 2016 Cumulative Update 23 15.01.2507.032",
              "product_id": "12039"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Exchange Server 2016 Cumulative Update 23"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c15.02.1258.025",
            "product": {
              "name": "Microsoft Exchange Server 2019 Cumulative Update 13 \u003c15.02.1258.025",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "15.02.1258.025",
            "product": {
              "name": "Microsoft Exchange Server 2019 Cumulative Update 13 15.02.1258.025",
              "product_id": "12191"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Exchange Server 2019 Cumulative Update 13"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-21709",
      "cwe": {
        "id": "CWE-307",
        "name": "Improper Restriction of Excessive Authentication Attempts"
      },
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "The attacker would be able to login as another user successfully.",
          "title": "What privileges could be gained by an attacker who successfully exploited the vulnerability?"
        },
        {
          "category": "faq",
          "text": "In a network-based attack, an attacker could brute force user account passwords to log in as that user. Microsoft encourages the use of strong passwords that are more difficult for an attacker to brute force.",
          "title": "How could an attacker exploit this vulnerability?"
        },
        {
          "category": "faq",
          "text": "The Microsoft proprietary severity rating does not align with the CVSS scoring system.  In this case, the severity rating of Important (rather than Critical) reflects the fact that brute-force attacks are unlikely to succeed against users with strong passwords.  The CVSS scoring system doesn\u0027t allow for this type of nuance.",
          "title": "Why is the severity for this CVE rated as Important, but the CVSS score is 9.8?"
        },
        {
          "category": "faq",
          "text": "Yes, CVE-2023-36434 which was published October 10,  2023 addresses a vulnerability in Windows IIS that completely mitigates this Exchange vulnerability.  If you have applied the additional steps documented in the following FAQ, please read the Exchange Blog for details on what to do now regarding this vulnerability as well as what to do for the new Windows IIS vulnerability.\nYes, in addition to installing the updates a script must be run. Alternatively you can accomplish the same by running commands from the command line in a PowerShell window or some other terminal.\nFollow the following steps:\n(Strongly recommended) Install Exchange Server 2016 or 2019 August SU (or later)\nDo one of the following:\nApply the solution for the CVE automatically on your servers, run the CVE-2023-21709.ps1 script. You can find the script and the documentation here: https://aka.ms/CVE-2023-21709ScriptDoc.\nApply the solution for the CVE manually on each server, by running the following command from an elevated PowerShell window:\nClear-WebConfiguration -Filter \u0026quot;/system.webServer/globalModules/add[@name=\u0027TokenCacheModule\u0027]\u0026quot; -PSPath \u0026quot;IIS:\\\u0026quot;\nTo roll-back the solution for the CVE manually on each server, run the following:\nNew-WebGlobalModule -Name \u0026quot;TokenCacheModule\u0026quot; -Image \u0026quot;%windir%\\System32\\inetsrv\\cachtokn.dll\u0026quot;\nAlthough Microsoft recommends installing the security updates as soon as possible, running the script or the commands\u00a0on a supported version of Exchange Server\u00a0prior to installing the updates will address this vulnerability.",
          "title": "Is there new information available regarding this CVE?"
        },
        {
          "category": "faq",
          "text": "Yes, an issue has been discovered with the non-English August updates of Exchange Server and you should postpone installing these updates.  The script protecting customers from the vulnerability documented by CVE-2023-21709 can be run to protect against the vulnerability without installing the August updates. Microsoft recommends running the script.\nAugust 15, 2023 Update: The known issue affecting the non-English August updates of Exchange Server has been resolved.  Microsoft recommends installing the updated packages as soon as possible.\nPlease see the Exchange Blog for more information.",
          "title": "Is there anything that I should be aware of if I\u0027m running a non-English operating system and version of Exchange server?"
        }
      ],
      "product_status": {
        "fixed": [
          "12038",
          "12039",
          "12191"
        ],
        "known_affected": [
          "1",
          "2",
          "3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21709"
        },
        {
          "category": "self",
          "summary": "CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21709"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-08-08T07:00:00.000Z",
          "details": "15.02.1118.037:Security Update:https://support.microsoft.com/help/5030524",
          "product_ids": [
            "3"
          ],
          "url": "https://support.microsoft.com/help/5030524"
        },
        {
          "category": "vendor_fix",
          "date": "2023-08-08T07:00:00.000Z",
          "details": "15.01.2507.032:Security Update:https://support.microsoft.com/help/5030524",
          "product_ids": [
            "2"
          ],
          "url": "https://support.microsoft.com/help/5030524"
        },
        {
          "category": "vendor_fix",
          "date": "2023-08-08T07:00:00.000Z",
          "details": "15.02.1258.025:Security Update:https://support.microsoft.com/help/5030524",
          "product_ids": [
            "1"
          ],
          "url": "https://support.microsoft.com/help/5030524"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 8.5,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Elevation of Privilege"
        },
        {
          "category": "exploit_status",
          "details": "Exploited:No;Latest Software Release:Exploitation Less Likely"
        }
      ],
      "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.