November 12, 2024 at 04:47PM
Microsoft revealed a critical vulnerability (CVE-2024-49040) in Exchange Server 2016 and 2019, allowing email spoofing by forging legitimate senders. Discovered by Vsevolod Kokorin, the flaw leads to exploitation risks. Microsoft has released updates for detection and added warning banners for suspicious emails, urging users to maintain security features.
### Meeting Takeaways:
1. **Vulnerability Disclosure**: Microsoft revealed a critical vulnerability (CVE-2024-49040) in Exchange Server 2016 and 2019 that permits email spoofing by allowing attackers to forge legitimate sender addresses.
2. **Discovery**: The flaw was identified by security researcher Vsevolod Kokorin from Solidlab, who found inconsistencies in how SMTP servers parse recipient addresses which contribute to the spoofing issue.
3. **Compliance Issues**: Kokorin noted that several email providers fail to adhere to RFC standards, particularly regarding the parsing of the ‘From’ field, which exacerbates the vulnerability.
4. **Current Implementation Problem**: The vulnerability stems from how the P2 FROM header verification is implemented in transport. Specifically, it allows non-compliant headers to pass through, misleading email clients like Microsoft Outlook.
5. **Prevention Measures by Microsoft**:
– Microsoft has released updates during Patch Tuesday to improve exploitation detection and issue warning banners on affected emails.
– Exchange servers will now prepend warnings to emails detected as having forged sender addresses after installing the November 2024 Security Update.
6. **Warning Messages**: Emails identified as suspicious will include warnings in their bodies, alerting users not to trust the information without verification.
7. **Admin Guidance**:
– By default, exploitation detection and warnings are enabled if secure settings are applied.
– A PowerShell command is provided for administrators who wish to disable this security feature, though Microsoft strongly advises against it due to increased phishing risks.
8. **Recommended Action**: It is recommended for organizations using Exchange servers to apply the necessary updates to enable email spoofing detection and to keep the security settings enabled to protect against phishing threats.