The Vulnerability Details
Microsoft has disclosed a new security vulnerability affecting on-premise versions of Exchange Server, which is already being exploited in the wild. The flaw originates from improper input neutralization during web page generation, specifically a cross-site scripting issue. An attacker can send a specially crafted email to a user, and if the message is opened in Outlook Web Access under certain interaction conditions, malicious JavaScript code can execute in the context of the web browser.
The vulnerability has been given a severity score of 8.1, indicating a high risk. Microsoft noted that an anonymous researcher discovered and reported the issue. Exchange Online customers are not affected, but all current on-premises versions, including Exchange Server 2016, 2019, and Subscription Edition, are vulnerable regardless of their update level.
Mitigation and Response
Microsoft is preparing a permanent fix but has released a temporary mitigation through its Exchange Emergency Mitigation Service (EEMS). This service automatically applies a URL rewrite configuration to block the attack vector, and it is enabled by default. Users who have disabled the service are urged to turn it back on.
For organizations operating in air-gapped environments where EEMS cannot be used, Microsoft provides an alternative. Administrators can download the Exchange on-premises Mitigation Tool (EOMT) and run a script to apply the mitigation on individual servers or across their entire organization. Microsoft recommends immediate action given that exploitation has already been detected.
Source: The Hacker News
