IT Security

A flaw found in Outlook/Exchange’s Autodiscover feature has resulted in over 100,000 credentials of Windows domains being leaked worldwide. 

What is Autodiscover?

Microsoft’s Autodiscover is a protocol that allows automatic configuration of an email account when an email address and password is provided. This allows third-party email clients (such as Outlook) to automate and acquire configuration settings for an email account, where in the past would have to have been manually entered.

What is the vulnerability?

Amit Serper, a security researcher of Guardicore, discovered this serious flaw after purchasing numerous domains and using this as part of a PoC (Proof-of-Concept) exercise. The domains purchased were variants of the word ‘Autodiscover’ (eg Autodiscover.es, Autodiscover.com.co, etc), and it was learned that attackers could use these domains to intercept clear-text account details including usernames and passwords of users who are having network difficulty (such as incorrectly configured DNS).

The bug stems from how Exchange deals with authentication for email clients. The process is as follows:

1. When credentials are entered, the email client tries to locate the configuration URL in the Service Connection Point (SCP) within Active Directory Domain Services (AD DS)
2. If this can’t be found then it uses one of the auto generated Autodiscover URL’s
3. When the email client tries to build an Autodiscover URL from the user’s email addresses it sends the credentials to Autodiscover endpoints and waits for a response
4. However, if a mail client is unable to authenticate on a given URL, it will attempt to authenticate on other URL’s (other Autodiscover variants – that an attacker may have purchased the domain for) and that is when credentials could have inadvertently been leaked.

The reason credentials could be seen in clear-text is because an unsecure protocol called Hypertext Transfer Protocol (HTTP) is being used.

Why is this important?

This flaw is incredibly severe, not only because it provides attackers credentials for email accounts, but these credentials may have also been used for accessing other systems like Active Directory.

It is also concerning that such a dangerous flaw could be found in a product that has existed for so long; as you would expect Exchange developers and security experts over the years to have spotted what seems to be a fairly rudimental oversight.

What should you do as a business?

Jeff Jones, Microsoft’s Senior Director confirmed the company was looking into the issue and would update customers once a fix had been implemented. He also commented that Guardicore should have made Microsoft aware of the bug before publishing the finding online, as this puts users more at risk.

Guardicore have offered some suggestions to help protect you from the bug:

- Block Autodiscover domains (such as Autodiscover.co and Autodiscover.es) on your firewall
- When configuring Exchange, make sure that support for basic authentication is disabled ie make sure HTTP basic authentication is not enabled
- For developers and vendors, make sure the Autodiscover protocol in your product is not letting it “fail upwards”, meaning that Autodiscover domains should not be constructed by the “back-off” algorithm.

There is also a .txt file available online that lists all possible Autodiscover domains which can be added to your company’s firewall.

Conclusion

Unfortunately, from an organisation’s perspective, Microsoft don’t seem to have an immediate fix or strategy to avoid the Autodiscover bug. If the above suggestions have been implemented, along with monitoring any login or access requests that look suspect, organisations can at least go some way to evading the vulnerability.

However, If your company’s Autodiscover infrastructure suffers from issues on any given day, you could be running the risk of exposing your credentials.

if you would like further advice or information on how to best protect your business, don’t hesitate to contact us.