PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?

[German]Ok, I think I got your attention with the headline. From what I heard, next Tuesday there will be some updates for Exchange Server. Why? Because three Exchange exploits were presented at the hacker conference Pwd2Own (6-8.4-2021). Maybe it would be a good idea to make sure that the Exchange servers are patched over the weekend to be able to start with updates in time.


German Exchange specialist Frank Carius thankfully contacted me via email today and pointed me to his German summary here. Frank is active in the Exchange environment and keeps an eye on security. That's why he immediately noticed the corresponding reports. I was also told 'via bush radio' that admins who has an Microsoft E(xx) subscription, has been notified in advance about patches next Thuesday (but details are under NDA).

Exchange exploits on Zero Day Initiative

On the website of the Zero Day Initiative (ZDI) the hacks of the Pwn2Own 2021 are presented. And there are a few sites that immediately jump out at you when you search for Exchange:

DEVCORE targeting Microsoft Exchange in the Server category

SUCCESS – The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.

Apparently, the DEVCORE team managed to exploit an authentication bypass vulnerability including local privilege escalation and collect $200,000 in bounty. The amount of the bounty as well as the keywords to the vulnerability raise eyebrows – there are some things reminiscent of the HAFNIUM case from early March 2020 – and DEVCORE was involved in the discovery of this vulnerability (see  the ProxyLogon page). Team VETTEL was only partially successful with the second vulnerability reported below.

Team Viettel targeting Microsoft Exchange in the Server category

PARTIAL – Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.

My understanding it, that they used known vulnerabilities from the competition. In the following message, Steven Seeley must have been also partially successful.

Steven Seeley of Source Incite targeting Microsoft Exchange in the Server category

PARTIAL – Although Steven did use two unique bugs in his demonstration, this attempt was a partial win due to the Man-in-the-Middle aspect of the exploit. It's still great research though, and he earns 7.5 Master of Pwn points.

There is no word from Microsoft on the matter, but the first DEVCORE attack would make me jittery as an Exchange administrator. Frank Carius took the trouble to watch the partly linked YouTube videos and refers to this video. There is the reference to "Patch Tuesday" where Exchange updates should appear with credits to Steven Seeley. If you add 1+1 together, it is not entirely unlikely that on 4/13/2021 corresponding updates for Exchange 2013 to 2019 could be provided. 


Get your patch status up to date

Frank Carius points out: In many companies, Exchange servers are still running on old patch levels. In the March 2021 Exchange incident, administrators were caught cold and no out-of-band updates were available for older Exchange CUs. It wasn't until the mass hacks by Hafnium became all too apparent that Microsoft also trickled in also out-of-band-updates for older CUs.

Since CUs are released at 3-month intervals, and perhaps only a security update for the current CU is released, all Exchange servers with older patch levels would be left out without out-of-band-updates. If then a vulnerability with hafnium potential including exploit becomes public, Exchange administrators might have little time to patch. You still have a couple of hours to check the patch status. Hope I have caught your attention …

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Microsoft Defender automatically mitigates CVE-2021-26855 on Exchange Server
Exchange hack news: What's about risk? (April 1, 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

One Response to PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?

  1. Arian van der Pijl says:

    You were right! ;)

Leave a Reply

Your email address will not be published. Required fields are marked *