MS14-075: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote mail server is affected by multiple vulnerabilities.

Description :

The version of Microsoft Exchange installed on the remote host is
affected by multiple vulnerabilities :

- A token spoofing vulnerability exists due to Microsoft
Outlook Web App (OWA) not properly validating request
tokens. A remote attacker can exploit this vulnerability
by convincing a user to visit a website with specially
crafted content, allowing the attacker to send email
that appears to come from a user other than the
attacker. (CVE-2014-6319)

- Multiple cross-site scripting vulnerabilities exist due
to Microsoft Exchange not properly validating input. A
remote attacker can exploit these vulnerabilities by
convincing a user to click a specially crafted URL to
the targeted Outlook Web App site. (CVE-2014-6325,
CVE-2014-6326).

- A spoofing vulnerability exists due to Microsoft
Outlook Web App (OWA) not properly validating
redirection tokens. An attacker can exploit this
vulnerability to redirect a user to an arbitrary domain
from a link that appears to originate from the user's
domain. An attacker can also exploit this vulnerability
to send email that appears to come from a user other
than the attacker. (CVE-2014-6336).

See also :

https://technet.microsoft.com/library/security/MS14-075

Solution :

Microsoft has released a set of patches for Exchange 2007 SP3, 2010
SP3, and 2013 SP1 / CU6.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 79827 ()

Bugtraq ID: 71437
71440
71441
71442

CVE ID: CVE-2014-6319
CVE-2014-6325
CVE-2014-6326
CVE-2014-6336

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now