Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Microsoft Exchange Server’s Autodiscover Feature Leaked Credentials of Over 100,000 Users To Third-Party Untrusted Domains

Friday, October 1, 2021

Categories: ASCF News Cyber Security

Comments: 0

Source: https://www.cpomagazine.com/cyber-security/microsoft-exchange-servers-autodiscover-feature-leaked-credentials-of-over-100000-users-to-third-party-untrusted-domains/

Photo: cpomagazine.com

Microsoft Exchange server’s incorrect implementation of the Autodiscover feature leaked at least 100,000 login names and passwords of Windows domains, according to Guardicore’s AVP of Security Research Amit Serper.

The Autodiscover feature allows Microsoft’s and third-party email clients to acquire configuration settings automatically from Microsoft Exchange servers. Microsoft says the feature enables users to configure their mail clients with “minimal user input.”

However, the researcher discovered that the feature leaked credentials to untrusted third-party websites.

Additionally, email client applications such as Microsoft Outlook sent the credentials using HTTP Basic authentications, in plaintext format.

Microsoft Exchange servers authenticate on third-party web servers
The bug originates from how Microsoft exchange handles authentication for email clients like Microsoft Outlook.

According to the researchers, when a user enters an email address and password combination, the client attempts to find the configuration URL in the Service Connection Point (SCP) in the Active Directory Domain Services (AD DS).

If the client has no access to AD DS, the mail client attempts to authentication on various autogenerated Microsoft Exchange Autodiscover URLs. The mail client attempts to build an Autodiscover URL from the users’ email addresses.

Subsequently, the Microsoft Exchange server client sends the users’ login credentials to the Autodiscover endpoints and waits for a response.

However, if the mail client cannot authenticate on a given URL, it creates more authentication URLs and attempts to authenticate on them by sending the user’s login credentials.

For example, if a user enters an email address like “user@example.com,” the mail client would generate the following URLs.

https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
https://example.com/Autodiscover/Autodiscover.xml
http://example.com/Autodiscover/Autodiscover.xml

Serper says that the mail client would try to authenticate against each URL until one succeeded and sent back configuration details to the client.

However, if authentication fails on all the above authentication domains, the email client would create additional Autodiscover URLs using top-level domains, like autodiscover.[tld] domain.

For example, the email client will create http://autodiscover.com/Autodiscover/autodiscover.xml to authenticate users when all the autogenerated Autodiscover domains fail.

Sadly, most email client users rarely own the top-level authentication domains or understand that their servers leaked credentials on these domains. Thus, attackers could set up top-level Autodiscover authentication domains to collect users’ leaked credentials.

“For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL, but Autodiscover can also provide information to configure clients that use other protocols,” the researchers wrote. “Autodiscover works for client applications that are inside or outside firewalls and will work in resource forest and multiple forest scenarios.”

Email clients sent leaked credentials in plaintext
The researchers found that email clients sent the authentication details using basic HTTP authentication, thus making them visible to potential attackers. Additionally, Serper also discovered that requests sent through NTLM and OAuth could be downgraded through the “the ol’ switcheroo” method.

The researchers registered several Autodiscover domains using top-level TLDs to collect leaked credentials. They received 648,976 HTTP requests, 372,072 Basic authentication requests, and 96,671 unique pre-authenticated requests.

Guardicore researchers recommended blocking all top-level authentication domains to prevent email clients from connecting and leaking credentials. Additionally, they should disable Basic authentication that sends leaked credentials in plaintext.

Microsoft’s Senior Director Jeff Jones said the company was actively investigating the design flaw and would take appropriate steps to protect customers.

He also noted that Guardicore researchers publicized the bug without informing Microsoft in advance, thus putting users at risk. It’s unclear whether threat actors had compromised any Microsoft exchange clients using the leaked credentials.

Alicia Townsend, Technology Evangelist, OneLogin, said it was disheartening that this security flaw was discovered in a mature product like Microsoft exchange server.

“But maybe the answer lies in the fact that it is happening in a product that has been around for so long,” Townsend said. “The Exchange Autodiscover feature which is the feature at the heart of this new vulnerability was introduced in Exchange 2007.”

“It is unclear as to whether or not this flaw in the design has been around that long. Whether the oversight was on the part of early developers or was introduced by more recent developers, it is clear that Security First was not their primary objective.”

Email clients searched for the Autodiscover URL on Active Directory Domain Services and defaulted to autogenerated top-level domains created using users’ emails. #cybersecurity #respectdata
Click to Tweet
She added that software manufacturers had the responsibility of ensuring that their developers were educated on creating and securing their code.

“We need to evaluate not just new functionality but existing functionality because as we can see with the Exchange Autodiscover feature, something could have been designed into the feature years ago and no one has been aware of it. Customers put their trust in us and we need to be ever vigilant.”

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.