SRC-2021-0004 : Microsoft Exchange Server msExchEcpCanary Cross Site Request Forgery Elevation of Privilege Vulnerability
CVE ID: CVE-2021-24085
CVSS Score: 6.5, (/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C)
Affected Vendors: Microsoft
Affected Products: Microsoft Exchange Server
This vulnerability allows remote attackers escalate privileges on affected installations of Microsoft Exchange Server. Authentication and user interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists within the HasValidCanary function inside of the Canary15 class. The issue results in an insecure generation of cross site request forgery tokens that can be used to install an office-addins. An attacker can leverage this vulnerability to escalate privileges to an administrative account.
Microsoft has issued an update to correct this vulnerability. More details can be found at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24085
2020-05-20 – Sent to Microsoft
2021-02-09 – Coordinated public release of advisory
Proof of Concept:
Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team