Interesting and Worthwhile Interview Now Available
The Cloud Architects is a group of Microsoft MVPs who host a podcast covering Microsoft 365 copies. On October 12, they published episode 56 featuring an interview with Amit Serper, the Guardicore researcher who published Autodiscovering the Great Leak, a report describing a “a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain.” The report, which has been updated with information about affected clients (including many Outlook versions), was roundly criticized by many, including myself, for the lack of information it contained. It also caused a bunch of fevered coverage to appear in the technical press, most of which leapt to conclusions that this was a flaw in Exchange.
The interview (available on YouTube) is worth listening to. It’s regrettable that some of the background and information discussed by Amit Serper wasn’t included in the original report as I think it would have led to a more reasoned discussion and response. Serper says that this was possible because of time constraints and other reasons (like Akamai’s acquisition of Guardicore). Given the time required to add a few extra paragraphs to the report, I’m not so sure.
Super-Hard Problem to Reproduce
For example, Serper revealed that the problem is “super-hard” to reproduce. Guardicore gathered the information about leaked credentials over five months, which is a ton of work. Guardicore purchased a bunch of Autodiscover domains and assigned them to a web server and watched traffic with leaked credentials arrive (Microsoft has since bought up other Autodiscover domains).
To try and track down how the problem happened, Serper built a lab using DetectionLab on AWS which included Exchange 2016 (no data given about cumulative updates) and Windows 10 clients running Outlook 2019. Despite many hours of simulation and observing responses to different failures, no reliable method emerged to reproduce the problem. As Serper observed, he “can’t tell you 100% of the time how to reproduce.” One thing he did notice is that many failures come from home IP addresses, which might indicate that the problem is more evident because of Work from Home.
Client-Side Problem
You can’t deny that a problem exists, and it is client-side. The original Black Hat report from 2017 involved mobile devices made by Samsung and Apple, both of which license Exchange ActiveSync (EAS) and Autodiscover to make it possible for their email clients to connect to Exchange (on-premises and Online). Guardicore’s article points to a long list of Samsung user agents whose credentials were captured and observes that these devices are running old versions of Android and Samsung software. Unfortunately, no analysis of the data is available to show how many instances of credential capture occurred per user agent, so we don’t know if the problem has decreased over time as vendors like Samsung and Apple addressed known issues in their code.
Guardicore also reports that Microsoft’s own Mail app from Windows 10 is in the mix (not terribly surprising because it is built from EAS and uses Autodiscover to connect). Amusingly, Serper told of finding a problem in a library used by a Chinese email app only for the response to be “it’s a Microsoft problem” together with a $50 bug bounty award.
Fix Coming?
Serper has been working with the Microsoft Security Response Center (MSRC) since his report appeared. He says that they’re “working on a fix.” Maybe this will be a change to the Autodiscover protocol. If so, I wonder how older clients will receive updates. There’s no word if other protocols (like Exchange Web Services) are involved (one comment on my original article reported a repro using EWS). We’ll have to wait and see.
By his own admission, Amit Serper is not a Microsoft expert. He doesn’t understand how the ecosystem works and relies on hard work and research to navigate the mass of protocols, documentation, clients, implementations, and other parts. He says that “this whole thing sucks” and is obviously annoyed that Microsoft hasn’t done a better job of fixing a problem discovered by other researchers in 2017. If the problem happened through a bad implementation in one email client, it’s likely to appear elsewhere. Microsoft sold EAS to mobile device vendors and has a responsibility to make sure that their implementations don’t compromise the security of the overall ecosystem. It seems like this big, however hard it is to reproduce, is real and deserves investigation and rectification.
Summary
In summary:
- There is a problem that needs to be fixed with client-side implementations of Autodiscover.
- The issue covers many different user agents (email clients), some of which are very old.
- The problem is hard to reproduce.
- Microsoft needs to work with ISVs and its own product teams to ensure that credentials can’t escape through Autodiscover.
It’s a real pity that Serper didn’t reveal more details in the original report. I don’t think it would have taken much effort – maybe a couple of hours – and it would have resulted in a lot less of the “piling on” and “mudslinging” he considers came his way from Microsoft employees and MVPs. We now await Microsoft’s formal response and plans to address the issue.