eSentire White Logo

Security advisories | Apr 13, 2021

Microsoft Exchange Vulnerabilities Announced 

THE THREAT

On April 13th, Microsoft released its monthly bundle of security patches. Notably, this release includes four vulnerabilities impacting multiple versions of Microsoft on-premise Exchange Servers. All Exchange vulnerabilities received a rating of critical and could allow attackers to execute code on remote Exchange servers. Exploitation may allow persistent access and control of enterprise networks.

Exploitation in the wild has not been identified at this time. These vulnerabilities are considered “Exploitation More Likely” by Microsoft. The criticality of these vulnerabilities and the potential value of Exchange server exploits increases the likelihood of exploitation in the near future. Organizations are strongly recommended to apply the relevant security patches as soon as possible.

What we’re doing about it

  • MVS has local plugins available to identify the Exchange vulnerabilities
  • eSentire security teams continue to track this for additional detection measures

What you should do about it

  • After performing a business impact review, apply the relevant security patches provided by Microsoft
  • esENDPOINT customers are advised to deploy endpoint agents to on-premise Exchange servers for ongoing monitoring

Additional information

All four of these vulnerabilities were discovered and reported to Microsoft by the National Security Agency (NSA). Two of the vulnerabilities (CVE-2021-28480, CVE-2021-28481) are remotely exploitable without authentication. Exploits for these vulnerabilities will be highly valuable to adversaries. Mitigating these vulnerabilities before exploits become available is critical.

Exchange Vulnerabilities:

  • CVE-2021-28480 (CVSS: 9.8) Microsoft Exchange Server Remote Code Execution Vulnerability
    • Prior authentication is not required for exploitation
  • CVE-2021-28481 (CVSS: 9.8) Microsoft Exchange Server Remote Code Execution Vulnerability
    • Prior authentication is not required for exploitation
  • CVE-2021-28482 (CVSS: 8.8) Microsoft Exchange Server Remote Code Execution Vulnerability
    • Exploitation requires minimal privileges
  • CVE-2021-28483 (CVSS: 9.0) Microsoft Exchange Server Remote Code Execution Vulnerability
    • Exploitation requires minimal privileges

Impacted Products:

  • Microsoft Exchange Server 2019 Cumulative Update 9 & 8
  • Microsoft Exchange Server 2016 Cumulative Update 20 & 19
  • Microsoft Exchange Server 2013 Cumulative Update 23

References:

[1] https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/

[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28480

[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28481

[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28482

[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28483