Microsoft is reportedly moving quickly to blunt the impact of a security issue with the Autodiscover protocol for automatic configuration of clients — such as Microsoft Outlook — in Microsoft Exchange, which could allow an attacker to access Windows domain credentials used to authenticate to Exchange servers.
The protocol, described in a blog last week by security firm Guardicore, has a design flaw that causes it to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same top-level domain (for example Autodiscover.com).
“This is a severe security issue, since if an attacker can control such domains or has the ability to “sniff” traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire,” Guardicore said. “Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically siphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs.”
In a statement to the Bleeping Computer news service, Microsoft said it is “actively investigating and will take appropriate steps to protect customers.”
Bleeping Computer said one solution involves Microsoft buying dozens of domains around the world that include the word “autodiscover,” such as autodiscover.af
Microsoft also complained that Guardicore published its blog before notifying Microsoft of the issue. In its blog Guardicore said it made “responsible disclosure processes with some of the vendors affected.” A company spokesperson also told CSO Online that Guardicore didn’t contact Microsoft because the underlying problem with how Autodiscover builds URLs is not a zero-day vulnerability and has been known since 2017 when it was publicly revealed at Black Hat Asia by the Shape Security researchers.
Two parts to the problem
Guardicore said there are two parts to the problem: The design of the Autodiscover protocol, and poor implementation of this protocol in some applications.
The Autodiscover protocol allows an end-user able to completely configure a client solely by providing their username and password. The rest of the configuration is left to the Autodiscover protocol.
Since Exchange is part of the “Microsoft domain suite” of solutions, the blog says, the credentials that are necessary to login to one’s Exchange-based inbox are in most cases their domain credentials.
The client parses the email address supplied by the user. For demonstration purposes Guardicore uses “amit@example.com.” The client then tries to build an Autodiscover URL based on the email address with the following format:
-
- https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
- http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
- https://example.com/Autodiscover/Autodiscover.xml
- http://example.com/Autodiscover/Autodiscover.xml
If none of those URLs responds, Autodiscover will start its “back-off” procedure. That mechanism, Guardicore says, is the culprit of this leak because it is always trying to resolve the Autodiscover portion of the domain and it will always try to “fail up,” so to speak. That means the result of the next attempt to build an Autodiscover URL would be: http://Autodiscover.com/Autodiscover/Autodiscover.xml.
“This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain,” says Guardicore.
Also under some circumstances an attacker could force an Exchange request for a security token to send credentials in the less secure HTTP basic authentication.
Guardicore proved this is a problem by buying 11 domains such as Autodiscover.com.br in Brazil. Then it waited for web requests for various Autodiscover endpoints to arrive. “To our surprise, we started seeing significant amounts of requests to Autodiscover endpoints from various domains, IP addresses and clients.” Generally, web requests should not be sent blindly pre-authenticated, but rather follow an HTTP authentication process, Guardicore said.
Between April 16th and August 25th Guardicore captured a large number of credentials this way, without sending a single packet other than what’s required to establish an HTTP/HTTPS session between its server and the miscellaneous clients. These credentials came from a variety of organizations.
Mitigation
Guardicore says end-users who use Exchange-based technologies such as Outlook or ActiveSync (Microsoft’s mobile Exchange synchronization protocol) should actively block Autodiscover. domains (such as Autodiscover.com/Autodiscover.com.cn, etc) in their firewall.
Exchange administrators should make sure that support for basic authentication is disabled because using HTTP basic authentication is the same as sending a password in clear text over the wire.
Software vendors and application developers should make sure that when implementing the Autodiscover protocol in their products they are not letting it “fail upwards”, meaning that domains such as “Autodiscover.” should never be constructed by the “back-off” algorithm.