none
Autodiscover Vulnerability question - Exchange 2010 SP3 CU13

    Question

  • Hi, please can you let me know how you have protected against the "Autodiscover Enumeration Vulnerability".  My current thoughts are around using an irule on an F5 LTM but am unsure if there is a smarter way?

    many thanks

    T


    Tul Golan

    Saturday, April 30, 2016 8:07 AM

All replies

  • And the vulnerability is?
    Saturday, April 30, 2016 6:54 PM
  • Information disclosure. You can, in theory, use an email address with a set of credentials corresponding to another email address and get the autodiscover response for that email address.

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de

    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de

    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    Saturday, April 30, 2016 8:14 PM
  • Hi,

    Please find a link to the vulnerability at the bottom, the risk is of a DoS type of attack where an attacker could use a publicly known address book to cause account lockouts.

    any suggestions would be welcome, alongside the exchange 2010SP3CU13 i have F5 & checkpoint firewall devices and CISO Ironports & ADFS 3.0 + WAP

    http://www.securitypentest.com/2014/08/autodiscover-enumeration-vulnerability.html

    http://h.foofus.net/?p=758

    many thanks

    T


    Tul Golan

    Thursday, May 26, 2016 6:17 PM