Exchange Admin 2022 Integration Pack v10.22.1.* has known issues and we strongly recommend customers to update to the latest build v10.22.2.5 that can be downloaded here.
In SC Orchestrator, the Runbook Author role is responsible for creating and maintaining runbooks. Any malicious Runbook Author can gain privileges related to Exchange Online Server management tasks that are available with Orchestrator Administrator.
Runbook Authors can view the passphrase of the certificate (private key) configured to authenticate to the Azure Active Directory (AAD) application used by the Exchange Admin 2022 v10.22.1.* Integration Pack (IP). If they can additionally obtain a copy of this certificate private (.pfx), they can use the certificate to issue management commands to ExchangeOnline, posing as above mentioned AAD application identity via EXO PS (Exchange Online PowerShell) .
Masquerading the AAD application identity allows the malicious Runbook Author to bypass Orchestrator’s auditing and logging capability that is associated with Runbook execution and editing.
Customers on SC Orchestrator 2022 using Exchange Admin 2022 Integration Pack v10.22.1.* to configure Exchange Online (M365 Exchange) servers are potentially .
Customers that use Exchange Admin 2022 Integration Pack to configure Exchange On-Premises servers are not affected.
Unfortunately, there is no direct way to detect if this vulnerability has been exploited. You might want to review Exchange Online audit logs to detect unexpected requests using Exchange Online PowerShell commands. Hence, it is strongly recommended to update the Integration pack to the latest version at the earliest.
Exchange Admin 2022 Integration Pack v10.22.2.5 and above have fixed this vulnerability by handling the certificate passphrase in a secure manner. The Orchestrator Administrator should follow these to mitigate the issue:
If you need help or have any questions, please create a Support request or ask community experts at Microsoft Q&A.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.