Microsoft Exchange Server Multiple High-Risk Vulnerabilities

Microsoft Exchange Server Multiple High-Risk Vulnerabilities

março 9, 2021 | Jie Ji

Vulnerability Description

On March 2, NSFOCUS observed that Microsoft released emergency security updates to fix seven vulnerabilities in Exchange Server.

Exchange server-side request forgery vulnerability (CVE-2021-26855): An unauthenticated attacker, via a crafted HTTP request, could exploit this vulnerability to scan the intranet and authenticate as Exchange Server.

Exchange Server deserialization vulnerability (CVE-2021-26857): An attacker with administrator privileges could exploit this vulnerability to execute arbitrary code as SYSTEM on the Exchange Server.

Exchange Server arbitrary file write vulnerability (CVE-2021-26858/CVE-2021-27065): An authenticated attacker could exploit this vulnerability to write files to arbitrary directories on the server and launch attacks by combining with the CVE-2021-26855 vulnerability.

Three remote code execution vulnerabilities in Exchange Server (CVE-2021-26412/CVE-2021-26854/CVE-2021-27078): Currently, Microsoft finds that some of these vulnerabilities have been exploited in the wild as their details are made publicly available. Affected users should take preventive measures as soon as possible.

Reference link: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Scope of Impact

Affected Versions

  • Exchange Server 2019
  • Exchange Server 2016
  • Exchange Server 2013
  • Exchange Server 2010

Check for the Vulnerabilities

(1) Local Scan

Users can use the official Exchange Server running check script to check whether the current Exchange Server is affected. This script can be downloaded from the following address:

https://github.com/dpaulson45/HealthChecker#download

(2) Manual Check

Users can check logs to see whether the Exchange Server suffered attacks using the preceding vulnerabilities.

CVE-2021-26855:

Check Exchange HttpProxy logs:

%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy

Run the following PowerShell command to check logs to see whether the Exchange Server received attacks based on this vulnerability:

Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object { $_.AuthenticatedUser -eq ” -and

$_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime,

AnchorMailbox

If intrusions are detected, you can access the following directory to see what operations are performed by attackers:

%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging

CVE-2021-26857:

Users can run the following command to view application event logs to see whether the Exchange Server was a victim of attacks based on this vulnerability:

Get-EventLog -LogName Application -Source “MSExchange Unified Messaging”

-EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }

CVE-2021-26858:

Access the log directory of the Exchange Server:

C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog

Run the following command to search for related logs to see whether the Exchange Server received attacks based on this vulnerability:

findstr /snip /c:”Download failed and temporary file”

“%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog*.log”

CVE-2021-27065:

Access the log directory of the Exchange Server:

C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server

Run the following PowerShell command to search for related logs to see whether the Exchange Server received attacks based on this vulnerability:

Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange

Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’

Mitigation

(1) Patch Update

Currently, Microsoft has released security patches for the supported product versions to fix the preceding vulnerabilities. Affected users are strongly advised to enable automatic Windows update to install these patches as soon as possible.

Note: Windows Update may fail due to network and computer environment issues. Therefore, users are advised to check whether the patches are successfully updated immediately after installation. Right-click the Start button and choose Settings (N) > Update & Security > Windows Update to view the message on the page. Alternatively, you can view historical updates by clicking View update history.

If an update fails to be successfully installed, you can download the update package offline from an address in the following table:

Product UpdateUpdate NumberUpdate Download Link
Microsoft Exchange Server 2010 Service Pack 3KB5000978www.microsoft.com/en-us/download/details.aspx?id
=102774
Microsoft Exchange Server 2013 Cumulative Update 23KB5000871www.microsoft.com/en-us/download/details.aspx?id
=102775
Microsoft Exchange Server 2016 Cumulative Update 18KB5000871www.microsoft.com/en-us/download/details.aspx?id
=102773
Microsoft Exchange Server 2016 Cumulative Update 19KB5000871www.microsoft.com/en-us/download/details.aspx?id
=102772
Microsoft Exchange Server 2019 Cumulative Update 7KB5000871www.microsoft.com/en-us/download/details.aspx?id
=102771
Microsoft Exchange Server 2019 Cumulative Update 8KB5000871www.microsoft.com/en-us/download/details.aspx?id
=102770

Note: Prior to upgrade, you should make a backup of data in case the upgrade renders the system unusable.

(2) Mitigations

1. Before updates are applied for vulnerability remediation, users should use an intrusion detection device to mainly monitor for Exchange Server’s illegal outreach behaviors, internal port scannings, and worm behaviors.

2. Users are advised not to open emails from suspicious sources in case attackers exploit vulnerabilities in question to execute arbitrary code on the machine.

3. If users cannot apply updates for the time being, keep a close eye on Exchange Server login failures, clear zombie accounts and accounts of resigned employees and suppliers, reset accounts with login failures, and change accounts’ weak passwords to strong ones that meet password complexity requirements.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyberattacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.