===================================================================== CERT-Renater Note d'Information No. 2013/VULN550 _____________________________________________________________________ DATE : 11/12/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Microsoft Exchange Server version 2007, 2010, 2013. ====================================================================== KB2915705 https://technet.microsoft.com/en-us/security/bulletin/ms13-105 ______________________________________________________________________ Microsoft Security Bulletin MS13-105 - Critical Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705) Published Date: December 10, 2013 Version: 1.0 General Information Executive Summary This security update resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. These vulnerabilities could allow remote code execution in the security context of the LocalService account if an attacker sends an email message containing a specially crafted file to a user on an affected Exchange server. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network. This security update is rated Critical for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013. For more information, see the subsection, Affected and Non-Affected Software, in this section. Affected Software Microsoft Exchange Server 2007 Service Pack 3 Microsoft Exchange Server 2010 Service Pack 2 Microsoft Exchange Server 2010 Service Pack 3 Microsoft Exchange Server 2013 Cumulative Update 2 Microsoft Exchange Server 2013 Cumulative Update 3 Vulnerability Information Oracle Outside In Contains Multiple Exploitable Vulnerabilities Two of the vulnerabilities addressed in this bulletin, CVE-2013-5763 and CVE-2013-5791, exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser. An attacker who successfully exploited this vulnerability could run code on the affected Exchange Server, but only as the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. In addition, CVE-2013-5763 and CVE-2013-5791 exist in Exchange Server 2013 through the Data Loss Protection (DLP) feature. This vulnerability could cause the affected Exchange Server to become unresponsive if a user sends or receives a specially crafted file. MAC Disabled Vulnerability - CVE-2013-1330 A remote code execution vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Outlook Web Access (OWA) service account. OWA XSS Vulnerability - CVE-2013-5072 An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could run script in the context of the current user. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================