Hello, and welcome to the Monday, November 6, 2020,

edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich,

and today I'm recording from Jacksonville, Florida.

The CRD Initiative on Friday released details regarding four vulnerabilities in Exchange server that so far according to the

Serra Day initiative have not been patched. Now, there is a little bit of controversy here as to,

first of all, how severe these vulnerabilities are and whether or not they are exploitable

in current issues of the exchange server.

The first one that is labeled here as CDI 231578.

It's a remote code execution flaw, and it allows the execution of arbitrary code as system.

Now Microsoft stated in a response here that customers who have applied the August

security update are already protected, so in that way it would no longer be exploitable.

The remaining three vulnerabilities are all very similar. They're essentially

URI validation vulnerabilities where an attacker is able to trick the system into, for

example, downloading data from a URI that, well, the attacker isn't supposed to be able

to download data from.

At least sort of that's a description from CDI.

Microsoft's response, on the other hand, states that these vulnerabilities do not really

present privilege escalation.

They just execute functionality as the user logged in.

So it's not that you would be able to download data from another user or escalate privileges,

basically doing things that you weren't supposed to be doing.

And yes, you do need credentials.

...