CVE-2018-8302: Microsoft Exchange Memory Corruption Vulnerability Alert

On Tuesday, August 14, there was a high-risk memory corruption vulnerability (CVE-2018-8302) in the August security update released by Microsoft. The vulnerability stems from software not being able to handle objects in memory correctly, and an attacker who successfully exploited this vulnerability could run arbitrary code in the context of a System user. The attacker can then install the program; view, change or delete the data; or create a new account.

Exploitation of this vulnerability requires the use of Unified Messaging (UM) to configure the Exchange server (this is not the default Exchange setting), which can then be triggered by an attacker sending a specially crafted email to a vulnerable Exchange server.

This update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

Affected version

  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 23
  • Microsoft Exchange Server 2013 Cumulative Update 20
  • Microsoft Exchange Server 2013 Cumulative Update 21
  • Microsoft Exchange Server 2016 Cumulative Update 10
  • Microsoft Exchange Server 2016 Cumulative Update 9

Solution

Microsoft has fixed the above vulnerability in this monthly security update; please download the upgrade as soon as possible to protect.