CVE-2023-35368

FAQ

How could an attacker exploit this vulnerability?

Successful exploitation of this vulnerability could allow an attacker the ability to gain remote code execution via an in-network attacker calling arbitrary endpoints.

Is there anything that I should be aware of if I'm running a non-English operating system and version of Exchange server?

Yes, an issue has been discovered with the non-English August updates of Exchange Server and you should postpone installing these updates. The script protecting customers from the vulnerability documented by CVE-2023-21709 can be run to protect against the vulnerability without installing the August updates. Microsoft recommends running the script.

August 15, 2023 Update: The known issue affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends installing the updated packages as soon as possible.

Please see the Exchange Blog for more information.

According to the CVSS metric, the attack vector is adjacent (AV:A), and privilege required is none (PR:N). What does that mean for this vulnerability?

The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution and attempt to trigger malicious code in the context of the server's account through a network call. The attacker needs no privileges to perform this attack.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.