Exchange Security Hole, Delayed Updates, and Basic Authentication End Date Announced –


Exchange Security Hole, Delayed Updates, and Basic Authentication End Date Announced

This week brings news from Exchange Online regarding Basic Authentication, as well as a September cumulative update deadline for Exchange Server.

If that wasn’t enough, a major security vulnerability was discovered in Exchange Server regarding its use of the Autodiscover client configuration component. According to researchers at Guardicore Labs, this Autodiscover issue has overturned tens of thousands of Windows domain credentials.

Basic authentication ending October 1, 2022
Basic authentication in Exchange Online and other services will end on October 1, 2022, the Exchange team said Thursday.

In June, Microsoft announced that it would simply disable Basic Authentication for Exchange Online when it found it was not in use by organizations, and it offered a “reactivation tool” for organizations that still clung to it. This week’s announcement, however, made it clear that Basic authentication ends, forever, “regardless of use.”

“We are not offering the option to use Basic authentication after October 2022,” the announcement explained in its FAQ section. “You need to make sure that your dependency on Basic authentication in Exchange Online has been removed at this time. “

Some kind of trial of this Basic authentication deactivation is planned for “early 2022”, when Microsoft plans to “selectively select tenants and disable Basic authentication for all affected protocols, at the exception of SMTP AUTH for a period of 12 to 48 hours.Even though Basic authentication will be restored after this period, there will still be a final shutdown for it on October 1, 2022.

There is a way to request a “limited deactivation” in the interim using the Microsoft 365 admin center, but Basic authentication is still coming to an end.

Basic authentication involves using a simple username and password to authenticate with a service, such as Exchange Online. It is a potentially insecure approach that is still used with older client applications. The problem with Basic Authentication is that it is prone to password spray attacks, which involve trying passwords commonly used in an organization to gain a foothold.

Microsoft wants organizations to move to client applications that leverage what’s known as “modern authentication” and use multi-factor authentication (a secondary way of verifying user credentials beyond a single word). outmoded).

September cumulative updates for Exchange Server delayed
In other news regarding Exchange Server, Microsoft noted last week that cumulative updates (CU) for Exchange Server products would be delayed.

Exchange Server CUs typically arrive on the “third Tuesday of the month”. September 21 would have been the release date for CU for Exchange Server, but Microsoft is pushing the release date back to September 28.

The delay is being done to improve the quality of CUs, the announcement said. It is also in the process of distributing “a new security-related feature,” which has not been explained, but will be explained in “an upcoming blog post,” Microsoft promised.

Regarding the quality of Exchange Server patches, Rhoderick Milne, senior customer engineer at Microsoft, noted in a recent blog post that Microsoft had failed to update its March patches for issues associated with attacks. ” Hafnium “, nicknamed” ProxyLogon “. He also described Microsoft’s shortcomings with its July Exchange Server fixes.

“There were several issues to be addressed in the July 2021 Exchange security updates,” Milne wrote. “In this case, the AD DS schema was not updated because the latest CU was not installed on the server.”

Exchange Server, Autodiscover, and Windows Domain Credentials Leaked
Meanwhile, the Guardicore Labs team recently reported that they have access to “tens of thousands” of Windows domain credentials through a flaw in Autodiscover, which is used to make it easier for end users to sign in to Exchange Server accounts. through an automatic configuration process for client applications. .

Considering these Windows domain credentials, it is possible for an attacker to “capture plain text domain credentials (HTTP basic authentication) which are transferred over the wire”. An attacker can then use DNS poisoning to siphon “leaky passwords”, Guardicore Labs added.

Security protections can even be downgraded to Basic authentication, Guardicore Labs said.

In addition, we have developed an attack – ‘The ol’ switcheroo ‘- which downgrades a client’s authentication scheme from a secure scheme (OAuth, NTLM) to HTTP basic authentication where credentials are sent in clear text, ”the researchers said.

Guardicore did not describe Microsoft’s reaction to the Exchange Server Autodiscover vulnerability, but did offer some “mitigation tips. The general public should ensure that they block domains used by Autodiscover. at the firewall IT pros should disable Basic authentication when deploying or configuring Exchange Software vendors should not let Autodiscover “fail up”.

About the Author

Kurt Mackie is Senior News Producer for 1105 Media’s Converge360 Group.

Source link

Previous Work begins on £ 2million Hartpury Digital Innovation Farm Tech Box Park -
Next 1.9 million square foot industrial park under construction in Stafford

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *