The seven Microsoft Exchange Server Vulnerabilities
Four of the seven bugs addressed in last Tuesday’s patch release were zero-day vulnerabilities that had already been exploited in the wild, possibly for months and affecting thousands of organizations. Microsoft describes the four vulnerabilities as part of an active attack chain that begins with an untrusted connection to the Exchange Server via port 443. The rest of the attack hinges on whether the actor can gain administrative access to the server.
Back in January, Volexity noted abnormal activities in two of its customers’ Microsoft Exchanger accounts. At the time, these accounts were sending a lot of data to an unknown external IP address. Upon closer inspection, Volexity ruled out the possibility of a server backdoor and discovered a zero-day server-side request forgery (SSRF) vulnerability. The security bug tagged CVE-2021-26855 is a remote code execution vulnerability that enabled the hacker to steal data from several Microsoft Exchange mailboxes.
According to Volexity, the exploit does not need any authentication, remote or otherwise, or any prior technical knowledge of the server environment. The attacker only needs to identify the server running MS Exchange and the target account.
CVE-2021-26857 is an insecure deserialization RCE vulnerability that allowed hackers to run code as SYSTEM on Microsoft Exchange Server. Running the code would require administrator permission or a separate exploit such as a malware injection.
CVE-2021-27065 and CVE-2021-26858 are arbitrary-file-write remote code execution vulnerabilities that enabled an attacker to write a file on the server. The file write could only be possible after privileged access to the server through a successful CVE-2021-26855 exploit or stolen admin credentials.
Microsoft also addressed three more RCE bugs not related to any known attacks. These were:
According to Microsoft, any externally facing servers running Exchange Server 2013, 2016, or 2019 are in danger of these exploits. Microsoft Exchange Online and Server 2010 SP3 are not vulnerable to any of these exploits. Microsoft has highlighted some indicators of an imminent or progressing attack and a PowerShell tool to identify various exploit markers.
There were several reported attacks on Exchange Server accounts, mostly targeted at infectious disease researchers, learning institutions, NGOs, and law firms in the US. But there were also several attacks reported in Asia, Europe, and the Middle East. Microsoft Threat Intelligence Center (MSTIC) identified the actor as Hafnium, an allegedly state-sponsored group of hackers operating from China.
Two more zero-day vulnerabilities fixed
The first is tracked as CVE-2021-26411, a memory corruption vulnerability affecting Internet Explorer and Microsoft Edge (EdgeHTML-Based). Microsoft marked this CVE as ‘critical’ and under active attack. The vulnerability allows an attacker to run malicious code on the client’s system if the browser accesses a specially crafted HTML page. The actors could either create a fake website or infect a legitimate site with a malicious payload. Google’s Threat Analysis Group first disclosed this exploit back in January, believed to be perpetrated by the Lazarus group. Later in early February, researchers at ENKI, a South Korean cybersecurity firm, reported the same attack that seemed to target security researchers.
Another zero-day vulnerability tracked as CVE-2021-27077 was also fixed in March’s patch release. The bug affects win32k, which is responsible for displaying data on a Windows screen. This Elevation of Privilege Vulnerability only scores a 7.8 CVSS since there were no reported exploits before the patch. An attacker might leverage this vulnerability to elevate their privilege beyond whatever user account level they have already compromised.
Other ‘critical’ and ‘important’ fixes
Windows DNS Server RCE and DoS vulnerabilities
The five CVEs: CVE-2021-26894, CVE-2021-26877, CVE-2021-26895, CVE-2021-26897, and CVE-2021-26893, are Remote Code Execution vulnerabilities in Windows DNS servers. All these score 9.8 on the CVSS metrics, but only CVE-2021-268 97 is considered critical. They could be exploited during dynamic updates. CVE-2021-27063 and CVE-2021-26896 are DoS bugs that could be exploited to exhaust the target server’s resources, causing it to be unresponsive.
Windows Hyper-V RCE vulnerability
Authorized attackers could exploit CVE-2021-26867 to execute code on the Hyper-V server clients using the Plan 9 file system (9P). This bug has a CVSS of 9.9, although Microsoft rates its exploit as ‘less likely.’
This month’s Patch Tuesday disclosed several serious flaws needing immediate patching. For the Exchange Server vulnerabilities, patching alone is not enough. Microsoft recommends probing vulnerable servers for signs of an attack and cleaning up any detectable exploits, even after installing the latest patch.
As usual, be sure to update all your Windows systems after every patch or cumulative update release. Next month’s Patch Tuesday is scheduled for April 13. Stay tuned for more security update news from Microsoft.Word count: 890/800The text has been certified 100% original by CopyscapeApprove project
CVE-2021-27065 and CVE-2021-26858 are arbitrary-file-write remote code execution vulnerabilities that enabled an attacker to write a file on the server. The file write could only be possible after privileged access to the server through a successful CVE-2021-26855 exploit or stolen admin credentials.
Microsoft also addressed three more RCE bugs not related to any known attacks. These were:
According to Microsoft, any externally facing servers running Exchange Server 2013, 2016, or 2019 are in danger of these exploits. Microsoft Exchange Online and Server 2010 SP3 are not vulnerable to any of these exploits. Microsoft has highlighted some indicators of an imminent or progressing attack and a PowerShell tool to identify various exploit markers.
There were several reported attacks on Exchange Server accounts, mostly targeted at infectious disease researchers, learning institutions, NGOs, and law firms in the US. But there were also several attacks reported in Asia, Europe, and the Middle East. Microsoft Threat Intelligence Center (MSTIC) identified the actor as Hafnium, an allegedly state-sponsored group of hackers operating from China.
Two more zero-day vulnerabilities fixed
The first is tracked as CVE-2021-26411, a memory corruption vulnerability affecting Internet Explorer and Microsoft Edge (EdgeHTML-Based). Microsoft marked this CVE as ‘critical’ and under active attack. The vulnerability allows an attacker to run malicious code on the client’s system if the browser accesses a specially crafted HTML page. The actors could either create a fake website or infect a legitimate site with a malicious payload. Google’s Threat Analysis Group first disclosed this exploit back in January, believed to be perpetrated by the Lazarus group. Later in early February, researchers at ENKI, a South Korean cybersecurity firm, reported the same attack that seemed to target security researchers.
Another zero-day vulnerability tracked as CVE-2021-27077 was also fixed in March’s patch release. The bug affects win32k, which is responsible for displaying data on a Windows screen. This Elevation of Privilege Vulnerability only scores a 7.8 CVSS since there were no reported exploits before the patch. An attacker might leverage this vulnerability to elevate their privilege beyond whatever user account level they have already compromised.
Other ‘critical’ and ‘important’ fixes
Windows DNS Server RCE and DoS vulnerabilities
The five CVEs: CVE-2021-26894, CVE-2021-26877, CVE-2021-26895, CVE-2021-26897, and CVE-2021-26893, are Remote Code Execution vulnerabilities in Windows DNS servers. All these score 9.8 on the CVSS metrics, but only CVE-2021-26897 is considered critical. They could be exploited during dynamic updates. CVE-2021-27063 and CVE-2021-26896 are DoS bugs that could be exploited to exhaust the target server’s resources, causing it to be unresponsive.
Windows Hyper-V RCE vulnerability
Authorized attackers could exploit CVE-2021-26867 to execute code on the Hyper-V server clients using the Plan 9 file system (9P). This bug has a CVSS of 9.9, although Microsoft rates its exploit as ‘less likely.’
This month’s Patch Tuesday disclosed several serious flaws needing immediate patching. For the Exchange Server vulnerabilities, patching alone is not enough. Microsoft recommends probing vulnerable servers for signs of an attack and cleaning up any detectable exploits, even after installing the latest patch.
As usual, be sure to update all your Windows systems after every patch or cumulative update release. Next month’s Patch Tuesday is scheduled for April 13. Stay tuned for more security update news from Microsoft.Word count: 890/800The text has been certified 100% original by CopyscapeApprove project
Four of the seven bugs addressed in last Tuesday’s patch release were zero-day vulnerabilities that had already been exploited in the wild, possibly for months. Microsoft describes the four vulnerabilities as part of an active attack chain that begins with an untrusted connection to the Exchange Server via port 443. The rest of the attack hinges on whether the actor can gain administrative access to the server.
Back in January, Volexity noted abnormal activities in two of its customers’ Microsoft Exchanger accounts. At the time, these accounts were sending a lot of data to an unknown external IP address. Upon closer inspection, Volexity ruled out the possibility of a server backdoor and discovered a zero-day server-side request forgery (SSRF) vulnerability. The security bug tagged CVE-2021-26855 is a remote code execution vulnerability enabling the hacker to steal data from several Microsoft Exchange mailboxes.
According to Volexity, the exploit does not need any authentication, remote or otherwise, or any prior technical knowledge of the server environment. The attacker only needs to identify the server running MS Exchange and the target account.
CVE-2021-26857 is an insecure deserialization RCE vulnerability that allowed hackers to run code as SYSTEM on Microsoft Exchange Server. Running the code would require administrator permission or a separate exploit such as a malware injection.
CVE-2021-27065 and CVE-2021-26858 are arbitrary-file-write remote code execution vulnerabilities that enabled an attacker to write a file on the server. The file write could only be possible after privileged access to the server through a successful CVE-2021-26855 exploit or stolen admin credentials.
Microsoft also addressed three more RCE bugs not related to any known attacks. These were:
There were several reported attacks on Exchange Server accounts, mostly targeted at infectious disease researchers, learning institutions, NGOs, and law firms in the US. But there were also several attacks reported in Asia, Europe, and the Middle East. Microsoft Threat Intelligence Center (MSTIC) identified the actor as Hafnium, an allegedly state-sponsored group of hackers operating from China. Microsoft explained that Hafnium is a group of highly skilled and sophisticated threat actors with a knack for US state secrets.
Hafnium perpetrated the attacks by deploying malicious web shells on already compromised servers. These shells would enable the attacker to steal data from the server. For instance, the actors could download the offline address book containing vital corporate information, mailbox data, and even account credentials from compromised servers.
Other espionage groups have also exploited the SSRF vulnerability (CVE-2021-26855) to target government assets in various countries.
Who is vulnerable?
All four vulnerabilities affect Exchange Server 2013, 2016, and 2019. Despite being a much earlier build, Microsoft Exchange Server 2010 SP3 is not vulnerable to any of the four exploits. The bugs only affect Exchange Offline. Exchange Online is safe from these specific attacks.
The attacks targeted dozens of private companies, not just government-related agencies and public organizations. And although there is no proof of concept at this time, there is a big possibility that these attacks have been running undetected for a couple of months now. Volexity had been tracking the exploit for nearly two months and is still one of the first groups credited with discovering the attack chain and the possible exploits.
According to Microsoft, any externally facing servers running Exchange Server 2013, 2016, or 2019 are in danger of these exploits. Microsoft has highlighted some indicators of an imminent or progressing attack and the procedures to identify various attack markers.
Recommended action
Microsoft’s recommendation is to install the newly released updates on all vulnerable systems immediately to protect corporate information from possible attacks. Servers running on older Exchange Server cumulative may need to be updated to the latest rollout version in order to accept the new security fixes.
Since the first stage of the attack requires a connection to the server via port 443, Microsoft says it can be prevented by restricting untrusted connections or separating the Exchange Server from external networks via a VPN. If this initial portion of the attack fails, the rest of the chain breaks down.
Stay updated
The week leading up to this month’s out-of-band patch release was quite eventful. This release batch may even overshadow the upcoming official Patch Tuesday. But anyway, we’ll just have to wait and see what Microsoft has in store.
After realizing just how intrusive and devastating an Exchange Server attack can be, now might be a good time to learn more about defending your Exchange Server from all forms of attacks. The important thing to remember is to keep all systems up-to-date and follow security patch news and releases to stay informed on new zero-day exploits and other risks.
Never Miss an Update with Action1 Patch Management Solution
New patches and features updates present opportunities to improve your IT performance and safeguard your digital assets against internal and external threats. It’s up to you to ensure that these patches are installed correctly and promptly to avoid compromising your IT security posture and efficiency.
With the Action1 patch management solution, you never have to worry about patches or other updates on your Windows systems. Action1 enables automated patching on Windows OS and features while allowing real-time control and visibility into the updates already installed and those that are missing. Our patch manager reinforces your endpoint security by automatically scanning and deploying all the necessary Windows updates as soon as they’re released.
Start your Action1 free trial today and sample the freedom, peace of mind, convenience, and reassurance of protecting your software infrastructure using the most robust and dependable automated patch management solution.
Patch Tuesday November 2024 Updates - Vulnerability Digest from Action1 This digest explains the most serious vulnerabilities in popular Windows software that have been patched...
(Note: This post was edited for accuracy and to reflect more information that came to light as this situation evolved.) In the world of IT management, unexpected updates can...
Action1 is thrilled to be listed among the Top 10 Security Momentum products in G2's State of Software report, being the only solution in this chart in the patch management...