Guardicore cybersecurity researchers have been able to capture hundreds of thousands of Windows domain and application credentials thanks to the design and implementation of the Autodiscover protocol used by Microsoft Exchange. According to Microsoft, the Exchange Autodiscover service “provides your client applications with an easy way to configure themselves with minimal user input”. For example, this allows users to configure Outlook clients only by providing a username and password. Back in 2017, researchers warned that an implementation issue auto-discovered by mobile email clients could lead to information leaks, when disclosed vulnerabilities were patched. However, an analysis by cloud and data center security firm Guardicore earlier this year revealed that there are still some serious issues with the design and implementation of auto-discovery.
Microsoft’s Autodiscover protocol is designed to simplify the configuration of Exchange clients such as Microsoft Outlook. The protocol’s goal is to allow end users to fully configure their Outlook clients to provide only their username and password, and leave the rest of the configuration to Microsoft Exchange’s Autodiscover protocol. Because Microsoft Exchange is part of the “Microsoft Domain Suite” of the solution, it’s important to understand that in most cases, the credentials necessary to log into an Exchange-based inbox are their domain credentials.
This problem is related to the “fallback” procedure. When the client is configured with Autodiscover, the client will attempt to construct a URL based on the user-provided email address. The URL looks like this: https://Autodiscover.example.com/Autodiscover/Autodiscover.xml or https://example.com/Autodiscover/Autodiscover.xml.
However, if there is no URL response, the “fallback” mechanism kicks in and attempts to contact a URL of the following format:
“This means that no matter who the owner of Autodiscover.com is, all requests that cannot reach the original domain will be received,” Guardicore explained.
The company registers nearly 12 autodiscover domain names (eg Autodiscover.com.cn, Autodiscover.es, Autodiscover. in autodiscovery.uk) and assigns them to web servers under its control.
From April 16, 2021 to August 25, 2021, their servers captured over 370,000 Windows domain certificates and over 96,000 unique certificates from applications such as Outlook and mobile email clients.
These certificates come from public companies, food manufacturers, power plants, investment banks, shipping and logistics companies, real estate companies, fashion and jewellery companies. The impact of a domain certificate leak on this scale is enormous and can put an organization at risk. Especially in today’s world ravaged by ransomware attacks, the easiest way for an attacker to get into an organization is with legitimate and valid credentials.
“This is a serious security concern because if an attacker were able to control such a domain or have the ability to ‘sniff’ traffic within the same network, they could capture plain-text domain credentials (HTTP Basic Authentication) transmitted over the network. Additionally, if attackers have large-scale DNS poisoning capabilities (such as nation-state attackers), they can systematically extract leaked passwords through large-scale DNS poisoning campaigns based on these auto-discovered top-level domains,” Guardicore said.
In 2017, researchers at Shape Security published a paper discussing how the implementation of auto-discovery on mobile mail clients such as the Samsung mail client on Android and the Apple mail client on iOS could lead to such leaks ( CVE-2016-9940, CVE-2017-2414). The vulnerability disclosed by Shape Security has already been patched, however, we face a much bigger threat in 2021, just having to deal with the exact same issue on more third-party apps than email clients. These apps expose their users to the same risks. Guardicore has initiated responsible disclosure procedures for some of the affected suppliers.
The researchers also devised an attack that could be used to degrade the client’s authentication scheme, allowing an attacker to obtain a certificate in clear text. The client would initially try to use a secure authentication scheme such as NTLM or OAuth to protect the credentials from prying eyes, but the attack resulted in a downgrade of authentication to HTTP Basic, where the credentials are sent in clear text.
Guardicore pointed out that the data leak occurred because of the way the app developers implemented the protocol. They prevent it from building urls that could be abused by attackers.
Often, attackers will try to get users to send their credentials by applying various techniques, be it technical or social engineering. However, the incident shows that passwords can be leaked to the perimeter of an organization through a protocol designed to simplify IT operations regarding email client configuration without anyone in IT or security even knowing about it, stressed The importance of proper network segmentation and zero trust.
Guardicore said its labs are continuing to work to secure networks, applications and protocols by detecting, alerting and disclosing these issues.