EXECUTIVE SUMMARY:
Microsoft Exchange Server, Update Now
Four zero-day exploits were recently used in a limited number of targeted attacks, according to Microsoft. The cyber attackers leveraged the bugs in on-premise Exchange servers for the purpose of probing email accounts. At least one of the zero-days enabled attackers to obtain the complete contents of several individuals’ inboxes.
Exchange Server Update Information
Microsoft quickly released several security updates for Microsoft Exchange Servers. The updates address the vulnerabilities under recent exploit. To protect ecosystems as best as possible, Microsoft recommends that clients install updates on affected systems immediately.
The versions that require updates include:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Microsoft recommends that organizations begin by updating external-facing servers.
Microsoft provided vulnerability summaries:
- CVE-2021-26855: This is a server-side request forgery (SSRF) that enabled the criminals to approve HTTP requests and to authenticate as the Exchange server.
- CVE-2021-26857: This is an insecure deserialization vulnerability. It’s located in the Unified Messaging service. Exploitation of this zero-day permitted the criminals to run code as SYSTEM on the exchange server. Administrative permissions or additional vulnerabilities are necessary to exploit this.
- CVE-2021-26858: This is a post-authentication arbitrary file zero-day in Exchange. Exploitation of this vulnerability could ultimately enable criminals to write a file to any path on the server.
- CVE-2021-27065: This vulnerability is a post-authentication arbitrary file write zero-day in Exchange. As with CVE-2021-26858, exploitation of this vulnerability could ultimately enable criminals to write a file to any path on the server.
Federal response, United States
Federal agencies are required to capture all data related to on-premises Microsoft Exchange Servers, and must share findings with CISA by noon on March 5th. Agencies that are unable to forensically triage the situation were directed to “immediately disconnect Microsoft Exchange on-premise servers”. CISA intends to relay cross-agency statuses and notification of any outstanding issues to the Secretary of Homeland Security and the Director of the Office of Management and Budget, by April 5th, 2021.
Further details
Does your organization have a cyber security vendor? Vendors may be able to help ensure that your organization has not been impacted by these exploits.
For more information about the Microsoft Exchange Server exploits, click here.