Microsoft has fixed two vulnerabilities in Microsoft Exchange Server 2019, 2016 and 2013, allowing remote code execution and information disclosure.
According to a security alert, a remote code execution vulnerability (CVE-2019-0586) exists due to incorrect handling of Exchange Server objects in memory. Its successful operation will allow an attacker to run the code in the context of the system user and as a result install software, view, modify and delete data, as well as create new accounts.
To exploit the vulnerability, the attacker must send a specially configured email to the vulnerable server. The problem was fixed by the manufacturer by changing the processing of objects in memory.
The information disclosure vulnerability (CVE-2019-0588) is due to the fact that the Server API PowerShell provides the calendar with more permissions than required. To use it, an attacker must gain access to the calendar from the administrator via PowerShell. In this case, he will see the information about the calendar, which should normally be hidden.
Security updates that fix both vulnerabilities are marked as “important” by the manufacturer. They can be installed automatically via Windows Update or downloaded manually from the Microsoft website.