The CERT Coordination Center (CERT/CC) has issued a vulnerability note for versions of Microsoft Exchange 2013 and newer for being vulnerable to NTLM relay attacks.
The issue, for which there is no patch or viable solution, is due to a failure by the software to set signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the exchange server. This problem is particularly dangerous because Microsoft Exchange is by default granted extensive privileges.
“Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server,” CERT/CC wrote.
The end result is an attacker with the credentials for an Exchange mailbox also has the ability to communicate with an Exchange Server and a Windows domain controller may be able to gain domain administrator privileges. An attack is also possible even if the malicious actor does not have a password using an SMB to HTTP relay attack.
CERT/CC is recommending two workarounds. The first is to disable EWS push/pull subscriptions and second to remove privileges that Exchange has on the domain object.