Any plans to release some type of detection for the new exchange api abuse attack method:
Abusing Exchange: One API call away from Domain Admin - dirkjanm.io
A CVE was published for PrivExchange: CVE-2019-0686. Jimmy made not of it in his blog about the feb updates from MS: https://blog.qualys.com/laws-of-vulnerabilities/2019/02/12/february-2019-patch-tuesday-74-vulns-20-critical-exchange-0-d… QID published is 53021.
Looks like Qualys updated an older finding related to CVE-2018-8581 (QID 53018, released in late December 2018). I am guessing this was done because the research mentioned this in his write up. MS doesn't ref this cve in their recent advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007 . So I am curious why Qualys opted to?
Also, why isn't this being labeled a 0-day and why doesn't Qualys noted that exploit code is available (GitHub - dirkjanm/PrivExchange: Exchange your privileges for Domain Admin privs by abusing Exchange). There is no official patch for the CVE or the advisory... So doens't that classify either as a 0day?
Would like to get input from vuln sigs on rationale here...
Since there has been a lack of response, I have opened a support case to hopefully get some answers. Will reply back when I have more to share.
FYI Microsoft released official patches:
Dirk-jan on Twitter: "Microsoft released patches for #PrivExchange today! 1) Latest version won't authenticate when send…
Released: February 2019 Quarterly Exchange Updates – You Had Me At EHLO…
Not clear if Qualys will update detection, release new QID, etc... Updating my case to determine.
To clarify a rather confusing post from me, I think the ultimate question is whether or not Qualys will be releasing a QID for KB4490059 (https://support.microsoft.com/en-us/help/4490059/using-shared-permissions-model-to-run-exchange-server ). I have updated my support case with this info. Will report back what I hear.
Retrieving data ...