==================================================================== CERT-Renater Note d'Information No. 2015/VULN180 _____________________________________________________________________ DATE : 09/09/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running Microsoft Exchange Server version 2013. ====================================================================== KB3089250 https://technet.microsoft.com/en-us/library/security/MS15-103 ______________________________________________________________________ Microsoft Security Bulletin MS15-103: Important Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250) Bulletin Number: MS15-103 Bulletin Title: Important Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure Severity: Important KB Article: 3089250 Version: 1.0 Published Date: September 8, 2015 Executive Summary This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content. This security update is rated Important for all supported editions of Microsoft Exchange Server 2013. For more information, see the Affected Software section. Affected Software Microsoft Server Software Microsoft Exchange Server 2013 Cumulative Update 8 Microsoft Exchange Server 2013 Cumulative Update 9 Microsoft Exchange Server 2013 Service Pack 1 Vulnerability Information Exchange Information Disclosure Vulnerability - CVE-2015-2505 An information disclosure vulnerability exists in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited the vulnerability could discover stacktrace details. To exploit the vulnerability, an attacker would have to create a specially crafted web application request and then submit it to a web application. Multiple Exchange Spoofing Vulnerabilities Spoofing vulnerabilities exist in Microsoft Exchange Server when OWA does not properly sanitize specially crafted email. An authenticated attacker could exploit the vulnerabilities by sending a specially crafted email to a user. An attacker could then perform HTML injection attacks on affected systems, and attempt to trick the user into disclosing sensitive information. To exploit the vulnerabilities, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user via OWA in an attempt to convince the user to click it. In a web-based attack scenario, an attacker could host a malicious website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the malicious website. The attacker would have to convince the user to visit the malicious website, typically by enticing the user to click a link in either an instant messenger or email message that takes the user to the attacker's malicious website, and then convince the user to interact with content on the malicious website. The security update addresses the vulnerabilities by helping to ensure that OWA properly sanitizes email content. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Exchange Spoofing Vulnerability CVE-2015-2543 No No Exchange Spoofing Vulnerability CVE-2015-2544 No No ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================