MS16-079: Security Update for Microsoft Exchange Server (3160339)

critical Nessus Plugin ID 91612
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9

Synopsis

The remote Microsoft Exchange Server is affected by multiple vulnerabilities.

Description

The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities :

- Multiple stack buffer overflow conditions exist in the Oracle Outside In subcomponent due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, via a crafted file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-6013, CVE-2015-6014, CVE-2015-6015)

- An email filter bypass flaw exists in the parsing of HTML messages. An unauthenticated, remote attacker can exploit this, via specially crafted URLs in OWA messages, to identify, fingerprint, and track a user online if the user views email using Outlook Web Access.
(CVE-2016-0028)

Solution

Microsoft has released a set of patches for Exchange Server 2007, 2010, 2013, and 2016.

See Also

http://www.nessus.org/u?46507b18

Plugin Details

Severity: Critical

ID: 91612

File Name: smb_nt_ms16-079.nasl

Version: 1.12

Type: local

Agent: windows

Published: 6/15/2016

Updated: 4/20/2021

Dependencies: ms_bulletin_checks_possible.nasl, microsoft_exchange_installed.nbin

Risk Information

Risk Factor: Critical

VPR Score: 5.9

CVSS Score Source: CVE-2015-6013

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:exchange_server

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 6/14/2016

Vulnerability Publication Date: 1/19/2016

Reference Information

CVE: CVE-2015-6013, CVE-2015-6014, CVE-2015-6015, CVE-2016-0028

BID: 81227, 81233, 81243, 91115

MSFT: MS16-079

MSKB: 3151086, 3151097, 3150501

CERT: 916896