Microsoft on-premises zero-day vulnerabilities
Dear all, Four previously unknown or ‘zero-day’ vulnerabilities in Microsoft Exchange Server are now being used in widespread attacks against thousands of organizations with potentially tens of thousands of organizations affected, according to security researchers.
Executive Summary
Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. The vulnerabilities recently being exploited were CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, and CVE-2021–27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release — Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.
• CVE-2021–26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021–26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
• CVE-2021–26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
• CVE-2021–27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
Affected Products
- Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019
Mitigation Strategies
Recommended solution: Install the security patch
- This method is the only complete mitigation and has no impact to functionality.
- The following has details on how to install the security update: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
- This will not evict an adversary who has already compromised a server.
Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019:
- Implement an IIS Re-Write Rule to filter malicious https requests
- Disable Unified Messaging (UM)
- Disable Exchange Control Panel (ECP) VDir
• Disable Offline Address Book (OAB) VDir
References For additional information related to this threat/vulnerability please refer following resources
• https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
• https://www.kaspersky.com/blog/exchange-vulnerabilities/38964/