==================================================================== CERT-Renater Note d'Information No. 2016/VULN015 _____________________________________________________________________ DATE : 13/01/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Microsoft Exchange Server version 2013, 2016. ====================================================================== KB3124557 https://technet.microsoft.com/en-us/library/security/MS16-010 _____________________________________________________________________ Microsoft Security Bulletin MS16-010: Security Update for Microsoft Exchange Server to Address Spoofing (3124557) Document Metadata Bulletin Number: MS16-010 Bulletin Title: Security Update in Microsoft Exchange Server to Address Spoofing Severity: Important KB Article: 3124557 Version: 1.0 Published Date: January 12, 2016 Executive Summary This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow spoofing if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content. Affected Software Microsoft Exchange Server 2013 Service Pack 1 Microsoft Exchange Server 2013 Cumulative Update 10 Microsoft Exchange Server 2013 Cumulative Update 11 Microsoft Exchange Server 2016 Vulnerability Information Multiple Exchange Spoofing Vulnerabilities Multiple spoofing vulnerabilities exist in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited the vulnerabilities could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information. An attacker could also redirect the user to a malicious website that could spoof content or be used as a pivot to chain an attack with other vulnerabilities in web services. To exploit the vulnerabilities, an attacker could send a specially crafted email containing a malicious link to a user. An attacker could also use a chat client to social engineer a user into clicking the malicious link. However, in both examples the user must click the maliciously link. The security update addresses the vulnerabilities by correcting how OWA validates web requests. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Exchange Spoofing Vulnerability CVE-2016-0029 No No Exchange Spoofing Vulnerability CVE-2016-0030 No No Exchange Spoofing Vulnerability CVE-2016-0031 No No Exchange Spoofing Vulnerability CVE-2016-0032 No No ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================