Two-factor authentication is slowly seeping into the mainstream – enterprises, where security have been a critical issue, were already using some form of multi-factor authentication, but the ease with which 2FA can be enabled on most online services have compelled even the less-critical businesses to enable it.
2FA is recommended by every security expert around the world – it is an additional layer of security, and particularly useful to those with a not-so-secure password.
It is, however, a double-edged sword – the over-reliance & comfort of a 2FA security makes users comfortable with a bad password – after all, attackers still need that one-time code to gain access, as the password is not enough. That, it turns out, is a problem.
While two-factor authentication, in theory, is quite secure; how secure it is in practice, depends on the implementation of it.
It appears, enterprises running an Exchange Server with 2FA enabled for their users have been living under a false sense of protection – the 2FA protection can be easily bypassed via Exchange Web Services.
The issue was discovered by Beau Bullock of Black Hills information Security, a security consultancy firm based in South Dakota. You can read the full post detailing the bypass if you would like to – but here’s a summary.
By default, the Exchange servers are exposing two services at the same port – Exchange Web Services, and Outlook Web Access. While EWS is mostly used by thick-clients that could link with Exchange – such as Microsoft’s own Outlook for Mac; OWA is built for users to access their Exchange emails via the web.
Here’s the problem: with 2FA enabled, while OWA behaves as intended – asking for the authentication code – EWS only requires the user credentials.
It’s not as much of an exploit, but an issue with implementation – this security design makes 2FA completely useless, as an attacker can gain access to the Exchange server via EWS despite the user having 2FA enabled.
Outlook with Office 365
The issue is also present in Office 365 – but not to the same extent; Office 365 exposes EWS as well – much like an Exchange server – and the same method can be used to access emails from an Office 365 Outlook account.
However, there appears to be additional security with Office 365 – the method only works if 2FA was enabled recently; after a certain amount of time, the EWS bypass stops working.
Bullock has made a video demonstrating this delay in enabling these extra security features, which you can watch above.
Beau Bullock and the team at Black Hills Information Security privately disclosed this vulnerability to Microsoft on September 28th. Microsoft responded to the disclosure, only to inform Bullock that there were no updates.
Alas, on November 2nd, the team at BSIC published full details of the vulnerability on their blog. The entire timeline of the disclosure, including Microsoft’s responses, can be found in Bullock’s blogpost.
In his blog post, Bullock does mention the solution Microsoft suggested him – disable EWS – it’s simple, and it works. It will, however, break several thick-clients such as Microsoft’s own Outlook for Mac.
It also appears that this issue is not new – several people have mentioned that this problem has been present for years, and Microsoft itself exposes a single-factor Exchange for their employees using a Mac.
That doesn’t excuse the lack of security, though: Microsoft has been providing enterprise services for decades, and a complete lack of care in regards to security where it truly matters is astonishing, to say the least.
There isn’t an easy fix for this problem, but if Microsoft cannot manage to solve this issue; perhaps they should listen to their own suggestion – make EWS disabled by default, rather than enabled.