Multiple 0-Day Exploits Targeting On-Premise Exchange Versions

THE THREAT

On March 2nd 2021 Microsoft released security updates for multiple 0-day vulnerabilities in on-premises versions of Exchange. Microsoft also published a threat research report describing technical details related to these attacks.

Microsoft has indicated these attacks are limited and targeted in nature and attributes the activity to a threat actor group dubbed HAFNIUM. Customers should prioritize the patching of affected products immediately.

When exploited, these vulnerabilities permit access to on-premises Exchange servers enabling unauthorized access to email. Additionally, Microsoft reports attackers employed webshell malware to maintain access to compromised Exchange servers. Exchange Online is not affected by these vulnerabilities.

What we’re doing about it

• MVS will automatically add the plugins to identify all vulnerabilities listed in the additional details section when available.
  • MVS customers seeking assistance with their review or scans, please contact your MVS consultant or the eSentire Security Operations Center (SOC).
• eSentire security teams continue to track this topic for additional details and detection opportunities.

What you should do about it

• The following versions of Microsoft Exchange Server are vulnerable and should be updated as soon as possible:
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019
• Specific guidance on updating these systems can be found here.

Additional information

The recent critical vulnerabilities are as follows and affect Microsoft Exchange Server versions 2013, 2016, and 2019.

CVE-2021-26855 (CVSS Score: 9.1/10) – Is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange, which allows a threat actor to send an arbitrary HTTP request and authenticate as the Exchange server.

CVE-2021-26857 (CVSS Score: 7.8/10) – Is an insecure deserialization vulnerability in the Unified Messaging service and requires administrator privileges or the use of another vulnerability to exploit. This vulnerability gave HAFNIUM the controls to run code as SYSTEM on an exchange server.

CVE-2021-26858/CVE-2021-27065 (CVSS Score: 7.8/10) – Are post-authentication arbitrary file write vulnerabilities in Microsoft Exchange and require either compromising an admin’s credentials or the use of CVE-2021-26855.

The vulnerabilities above were used as a part of the attack chain by HAFNIUM, which required the initial ability to make an untrusted connection to a Microsoft Exchange server on port 443. While this can be mitigated by setting up a VPN to separate the Exchange server from external access or by restricting untrusted connections, it will only protect users from the initial portion of the attack. Threat actors can use alternative means to exploit these vulnerabilities, such as convincing an administrator to run a malicious file or if the attacker already gained access to the environment via other means.

All of these vulnerabilities should receive a high priority for patching as exploitation was observed and attributed to state-sponsored group HAFNIUM.

References:

[1] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[2] https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/