Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2018-8302

Disclosure Date: August 15, 2018
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka “Microsoft Exchange Memory Corruption Vulnerability.” This affects Microsoft Exchange Server.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

A .NET deserialization vulnerability exists within Exchange when configured with Unified Messaging (UM). An attacker needs to be able to authenticate as an Exchange user with a configured UM voice mailbox. After doing so they utilize Exchange Web Services (EWS) to upload a malicious payload before calling the target user to leave a voice mail resulting in code execution. The target user does not need to listen to the voice mail in order for the payload to be executed.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • exchange server 2010,
  • exchange server 2013,
  • exchange server 2016

Additional Info

Technical Analysis