Link to home
Start Free TrialLog in
Avatar of pramod1
pramod1Flag for United States of America

asked on

EXCHANGE 2007, EXCHANGE 2013

Please see the findings below from a recent review.  

can you please let me know :

•      Will the upgrade to Exchange 2013 resolve the vulnerability below?
•      Do we have any viable options with 2007 to change this now?

we are using basic authentication for OWA also have san CERTIFICATE ON our exchange

will enabling of SSL will work but  how?



Status
CONFIRMED
Summary of Finding
The Client Access Server (CAS) that services Autodiscover and Outlook Web App (OWA) has
been found to be vulnerable to time-based authentication attacks. When sending authentication
requests to the CAS, behavior in the timing of the responses can be used to verify Active
Directory realms and usernames within those realms. Authentication timing issues have been
found in specific IIS file paths and OWA form-based authentication. This issue can allow a
malicious actor to confirm the existence of a specific username in the directory and will make
other attacks such as password guessing or social engineering attacks more successful.
Proof of Concept
During the discovery portion of the assessment, Rapid7 identified an instance of OWA 2007, as
shown in Figure 10:
Figure 10: OWA 2007
This version is vulnerable to timing attacks. Rapid7 did not fully test this finding as it was out-ofscope.
Confidential and Proprietary 13
Affected URI
• https://mail.domain.com
Recommendations
Several strategies can be leveraged to mitigate the Outlook Web App time-based authentication
attack. Rapid7 recommends the following strategies:
• Proxy the OWA traffic either through an ISA or Microsoft Federation Service as this
mitigates the time-based attack.
• Use an alternate solution such as outsourcing Exchange services through Outlook.com,
which is not vulnerable to the time-based attack.
• Protect the OWA service from the Internet by requiring a VPN connection to access.
In general, to reduce the risk of unauthorized access to OWA through the use of a compromised
accounts, Rapid7 recommends applying two-factor authentication to the OWA service.
Avatar of Tom Cieslik
Tom Cieslik
Flag of United States of America image

Exchange 2007 has so many wholes so it's not good idea to keep it anymore.
The best solution is upgrade to Exchange 2013/2016 and enable SSL for default.

Here you can find whole upgrade scenario

http://www.msexchange.org/articles-tutorials/exchange-server-2013/migration-deployment/planning-and-migrating-small-organization-exchange-2007-2013-part8.html
Tom, may I ask which vulnerabilities you are talking about?
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-194/version_id-138706/Microsoft-Exchange-Server-2007.html lists only patched ones for the latest version of 2007 SP3.

Not that I am recommending to stay on 2007, no, you need to move this year, support ends soon. But still there will be no danger if you run the latest cumulative update, I guess. What CU do you run, pramod1?
You cannot upgrade infact it is like adding another exchange in the same organization and migrate all mailbox to new version.  Most important requirement if you want to have coexistence, Your Exchange 2007 should have SP3.

After you migrate you can secure in various ways using SSL certificate allow specific port.
Avatar of pramod1

ASKER

I have SSL enabled so why I got the error
pramod, name your version, please.
ASKER CERTIFIED SOLUTION
Avatar of suriyaehnop
suriyaehnop
Flag of Malaysia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pramod1

ASKER

exchange 2007 enterprise sp3
You should look for patches for exchange. I asked for the version, which would be something like 08.03.0502.000 (2007 SP3 with CU22). That's all you need to do. Why do more? We have not yet made out if your exchange is even patched at all.

After patching, re-run your pentesting tool.