Exchange Admin 2022 Integration Pack v10.22.1.* has known issues and we strongly recommend customers to update to the latest build v10.22.2.5 that can be downloaded here.
What is the issue?
In SC Orchestrator, the Runbook Author role is responsible for creating and maintaining runbooks. Any malicious Runbook Author can gain privileges related to Exchange Online Server management tasks that are available with Orchestrator Administrator.
Runbook Authors can view the passphrase of the certificate (private key) configured to authenticate to the Azure Active Directory (AAD) application used by the Exchange Admin 2022 v10.22.1.* Integration Pack (IP). If they can additionally obtain a copy of this certificate private (.pfx), they can use the certificate to issue management commands to ExchangeOnline, posing as above mentioned AAD application identity via EXO PS (Exchange Online PowerShell) .
Masquerading the AAD application identity allows the malicious Runbook Author to bypass Orchestrator's auditing and logging capability that is associated with Runbook execution and editing.
Who is affected?
Customers on SC Orchestrator 2022 using Exchange Admin 2022 Integration Pack v10.22.1.* to configure Exchange Online (M365 Exchange) servers are potentially .
Customers that use Exchange Admin 2022 Integration Pack to configure Exchange On-Premises servers are not affected.
How do I know if the vulnerability has been exploited?
Unfortunately, there is no direct way to detect if this vulnerability has been exploited. You might want to review Exchange Online audit logs to detect unexpected requests using Exchange Online PowerShell commands. Hence, it is strongly recommended to update the Integration pack to the latest version at the earliest.
Exchange Admin 2022 Integration Pack v10.22.2.5 and above have fixed this vulnerability by handling the certificate passphrase in a secure manner. The Orchestrator Administrator should follow these to mitigate the issue:
- Review the ExchangeAdmin Integration Pack configuration steps on how to set up the AAD app and certificate.
- Remove the existing certificate from the AAD application and install a new certificate with a different Private Key passphrase.
- Delete the existing Exchange Admin 2022 IP configurations (that used the old certificate) using the Runbook Designer.
- Uninstall and de-register ExchangeAdmin v10.22.1.* IP from Orchestrator.
- Download ExchangeAdmin v10.22.2.5 (or above) here and deploy it.
- Recreate the configurations that were removed in (3) with updated information of the certificate.
- [Optional best practice] Ensure that the Private Key (.pfx) is secured on the disk and accessible (read) by the Orchestrator Service Account and access is restricted to other identities.
If you need help or have any questions, please create a Support request or ask community experts at Microsoft Q&A.