[German]Microsoft warns: Four 0-day vulnerabilities are combined for targeted attacks on Exchange via Outlook Web App. Administrators of on-premises Microsoft Exchange servers should urgently respond and install the updates released on March 2, 2021. A security update is also still available for Exchange Server 2010.
Advertising
Microsoft released several warnings
Microsoft has send a warning a few hours ago by email, that addresses revisions to security bulletins, but also description of Microsoft Exchange Server remote code execution vulnerabilities. Here is the disclosure of the vulnerabilities.
*******************************************************************************
Title: Microsoft Security Update Releases
Issued: March 2, 2021
*******************************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
Critical CVEs
============================
* CVE-2021-26412 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26412
* CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
* CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
* CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
Advertising
Important CVEs
============================
* CVE-2021-27078 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27078
* CVE-2021-26854 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26854
* CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
Publication information
===========================
– Microsoft Exchange Server Remote Code Execution Vulnerability
– See preceding list for links
– Version 1.0
– Reason for Revision: Information published
– Originally posted: March 2, 2021
– Updated: N/A
At the same time, I became aware of the issue via various warnings on Twitter. In the following tweet, security researcher GossiTheDog points out that the four vulnerabilities are being exploited.
Attack details
Microsoft published this post on the topic. diesen Beitrag zum Thema veröffentlicht. Die Sicherheitsexperten haben eine Angriffskampagne bemerkt, die mehrere 0-Day-Exploits (siehe obige Links) für Angriffe auf lokale Versionen von Microsoft Exchange Server in begrenzten und gezielten Angriffen verwendet.
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.
Details of the attack are described in the Microsoft post. It also describes how to tell if the Exchange server may have been compromised.
In the observed attacks, the threat actor used these vulnerabilities to access local Exchange servers. This allowed access to email accounts and installation of additional malware to facilitate long-term access to victims' environments. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign to the HAFNIUM group with a high degree of probability. Microsoft believes it is a state-sponsored group operating out of China based on the observed victimology, tactics and modus operandi.
Vulnerabilities addressed via update KB5000871
The vulnerabilities that were recently exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, all of which were addressed in today's Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. The vulnerabilities affect Microsoft Exchange Server, but not Exchange Online. Microsoft indicates the following versions are affected.
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
All three versions are still in regular support. Microsoft has published the support article KB5000871 – Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871). There you will also find information about known issues with this update, which is rolled out via Windows Update. However, these updates are also available for download in the Microsoft Update Catalog. In addition, the updates are offered for download in the KB article. Redmond strongly advises its customers to update their local systems immediately.
Microsoft writes that Exchange Server 2010 will be updated for Defense in Depth purposes as well, however. The Exchange team has also published this tech community post on the subject, where the update for Exchange Server 2010 – Exchange Server 2010 (RU 31 for Service Pack 3 – this is a Defense in Depth update) – can also be found. The article also contains a FAQ on various aspects.
Security researcher Kevin Beaumont (GossiTheDog) points on Twitter to a script for scanning Exchange Server installations for vulnerabilities, which he provides on GitHub. Brian Krebs has compiled some more information in this blog post. The attacks were first discovered on January 6, 2021 by security firm Veloxi, which has since been disclosed in this blog post.
