Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft Releases Exchange Emergency Patch to Fix Actively Exploited Vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Releases Exchange Emergency Patch to Fix Actively Exploited Vulnerability

Microsoft today released an emergency patch for Microsoft Exchange Server. The patch fixes seven different vulnerabilities. Four of these vulnerabilities are currently being used in targeted attacks.

Quick Summary / What you need to do:

  1. Verify that you are not already compromised. Microsoft has some indicators here.
  2. Patch. But currently, the patch is only available if you applied recent updates. So you may have to apply them first if you are behind. See the first table below for details.
  3. Review your Exchange Server configuration. Microsoft has tips here.

The attacks gain access via a Server Side Request Forgery (SSRF) vulnerability. Exploiting this vulnerability requires access to port 443. This vulnerability can be used to trick the Exchange server to send requests essentially to itself, bypassing authentication. This will give access to an insecure deserialization vulnerability that can be leveraged to execute arbitrary code as SYSTEM. Finally, two file upload vulnerabilities are used to upload files to the system.

Microsoft observed the attackers uploading web shells for persistent access and exfiltrating credentials and email from affected servers.

Microsoft currently only makes patches available for the exact versions listed below in the "Patch Available For" column. You will first need to apply the respective RU/CU before applying today's patch.

Version Vulnerable Patch Available For
Exchange Server 2010 no 2010 RU 31 for SP 3 (defense-in-depth update)
KB5000978
Exchange Server 2013 yes 2013 CU 23 (KB5000871)
Exchange Server 2016 yes 2016 CU 19 CU 18 (KB5000871)
Exchange Server 2019 yes CU 8 CU 7 (KB5000871)

 

March 2, 2021 Exchange Emergency Patch Summary.

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26412 No No Less Likely Less Likely Critical 9.1 8.2
CVE-2021-26854 No No Less Likely Less Likely Important 6.6 5.8
CVE-2021-26855 No Yes Detected Detected Critical 9.1 8.4
CVE-2021-26857 No Yes More Likely Detected Critical 7.8 7.2
CVE-2021-26858 No Yes Detected Detected Important 7.8 7.2
CVE-2021-27065 No Yes Detected Detected Critical 7.8 7.2
CVE-2021-27078 No No Less Likely Less Likely Important 9.1 8.2

Related Microsoft Posts:

HAFNIUM targeting Exchange Servers with 0-day exploits
Multiple Security Updates Released for Exchange Server
Released: March 2021 Exchange Server Security Updates
Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: March 2, 2021 (KB5000978)

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I will be teaching next: Intrusion Detection In-Depth - SANS London October 2021

 Johannes

4240 Posts
ISC Handler
Mar 5th 2021
Thread locked Subscribe Mar 5th 2021
6 months ago

Sign Up for Free or Log In to start participating in the conversation!