Vulnerabilities > CVE-2015-1631 - Improper Access Control vulnerability in Microsoft Exchange Server 2013

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
microsoft
CWE-284
nessus

Summary

Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to spoof meeting organizers via unspecified vectors, aka "Exchange Forged Meeting Request Spoofing Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Msbulletin

bulletin_idMS15-026
bulletin_url
date2015-03-10T00:00:00
impactElevation of Privilege
knowledgebase_id3040856
knowledgebase_url
severityImportant
titleVulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS15-026.NASL
descriptionThe remote Microsoft Exchange server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple cross-site scripting vulnerabilities exist due to improper sanitization of page content in Outlook Web App. An attacker can exploit these vulnerabilities by modifying properties within Outlook Web App and then convincing a user browse to the targeted Outlook Web App site, resulting in the execution of arbitrary script code in the context of the current user. (CVE-2015-1628, CVE-2015-1629, CVE-2015-1630, CVE-2015-1632) - A spoofing vulnerability exists due to a failure to properly validate the meeting organizer
last seen2020-06-01
modified2020-06-02
plugin id81740
published2015-03-10
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/81740
titleMS15-026: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3040856)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81740);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id(
    "CVE-2015-1628",
    "CVE-2015-1629",
    "CVE-2015-1630",
    "CVE-2015-1631",
    "CVE-2015-1632"
  );
  script_bugtraq_id(
    72883,
    72887,
    72888,
    72890,
    72895
  );
  script_xref(name:"MSFT", value:"MS15-026");
  script_xref(name:"MSKB", value:"3040856");

  script_name(english:"MS15-026: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3040856)");
  script_summary(english:"Checks version of ExSetup.exe.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Microsoft Exchange server is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Microsoft Exchange server is missing a security update. It
is, therefore, affected by multiple vulnerabilities :

  - Multiple cross-site scripting vulnerabilities exist due
    to improper sanitization of page content in Outlook Web
    App. An attacker can exploit these vulnerabilities by
    modifying properties within Outlook Web App and then
    convincing a user browse to the targeted Outlook Web App
    site, resulting in the execution of arbitrary script
    code in the context of the current user. (CVE-2015-1628,
    CVE-2015-1629, CVE-2015-1630, CVE-2015-1632)

  - A spoofing vulnerability exists due to a failure to
    properly validate the meeting organizer's identity when
    accepting or modifying meeting requests. A remote
    attacker can exploit this issue to send forged meeting
    requests appearing to originate from a legitimate
    organizer. (CVE-2015-1631)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-026");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Exchange 2013.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1631");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("install_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
port = kb_smb_transport();

bulletin = 'MS15-026';
kb = '3040856';
kbs = make_list(kb);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

# Release is numeric version
version = get_kb_item_or_exit('SMB/Exchange/Version');
sp = int(get_kb_item('SMB/Exchange/SP'));

if (version != 150) # 2013
  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

exch_root = get_kb_item_or_exit('SMB/Exchange/Path', exit_code:1);
# remove trailing slashes from path so it looks good when reporting
if(exch_root[strlen(exch_root) - 1] == "\")
  exch_root = substr(exch_root, 0, strlen(exch_root) - 2);

share     = hotfix_path2share(path:exch_root);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

# If Exchange 2013 is installed, make sure it is CU4 (aka SP1) or CU7 before continuing
# set cu
cu = NULL;
if (version == 150)
{
  exe = hotfix_append_path(path:exch_root, value:"Bin\msexchangerepl.exe");
  ret = hotfix_get_fversion(path:exe);
  if (ret['error'] != HCF_OK)
  {
    hotfix_check_fversion_end();
    audit(AUDIT_FN_FAIL, 'hotfix_get_fversion');
  }
  exe_ver = join(ret['value'], sep:'.');

  if(exe_ver =~ "^15\.0\.847\.") cu = 4; # SP4
  if(exe_ver =~ "^15\.0\.1044\.") cu = 7; # CU7
  if (isnull(cu))
  {
    hotfix_check_fversion_end();
    audit(AUDIT_INST_VER_NOT_VULN, 'Exchange 2013', exe_ver);
  }
}

fixedver = NULL;

if (version == 150 && cu == 4) # 2013 SP1 AKA CU4
{
  fixedver = "15.0.847.38";
}
else if (version == 150 && cu == 7) # 2013 CU7
{
  fixedver = '15.0.1044.29';
}

if (hotfix_is_vulnerable(path:exch_root, file:"Bin\ExSetup.exe", version:fixedver, bulletin:bulletin, kb:kb))
{
  set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
  set_kb_item(name:'www/0/XSS', value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}