Issued: Monday, 4 October, 2021 |
Last Revision: Monday, 4 October, 2021 |
Vendor: |
Product: |
Severity Level: |
Autodiscover is a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook.
It has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com).
This is a severe security issue, since if an attacker can control such domains or has the ability to “sniff” traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire.
Description | CVE | CVSS3.0 Score |
Microsoft’s Exchange Autodiscover protocol | N/A | N/A |
Table 1: Vulnerability details
Vulnerability / CVE |
| Affected Product(s) |
N/A |
| Microsoft Exchange |
Table 2: Vulnerability Versions
Disable the basic authentication, when deploying or configuring Exchange setup. Using HTTP basic authentication communicate with plain text.
Block Autodiscover domains such as "Autodiscover.com.cn" in your firewall.
Software developers should implement the Autodiscover protocol to never construct the domains such as “Autodiscover” by the “back-off” algorithm.