KLA11302 Multiple vulnerabilities in Microsoft Exchange Server

Multiple serious vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit these vulnerabilities to execute arbitrary code and bypass security restrictions.

Below is a complete list of vulnerabilities:

1. An tampering vulnerability can be exploited via specially crafted application to bypass security restrictions;
2. An improper memory handling vulnerability can be exploited remotely via specially crafted email to execute arbitrary code;

Original advisories

CVE-2018-8374

CVE-2018-8302

Related products

Microsoft-Exchange-Server

CVE list

CVE-2018-8374 warning

CVE-2018-8302 critical

KB list

4340733

4340731

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 23Microsoft Exchange Server 2013 Cumulative Update 20Microsoft Exchange Server 2013 Cumulative Update 21Microsoft Exchange Server 2016 Cumulative Update 10Microsoft Exchange Server 2016 Cumulative Update 9