Security Brief: Exchange

Exchange Server Vulnerability

We have been monitoring several exploits for Microsoft Exchange servers that have been developing since May. The new development that has been seen in the wild the past couple of days is being used to drop ransomware into an organization’s environment.

Priority:

These exploits (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) should be considered extremely critical in terms of establishing a remediation plan since they can allow a threat actor to, not only gain remote access, but also drop ransomware in your environment. It is recommended that if you have an affected version that you remediate within 12-24 hours via an emergency change.

Affected Versions:

The following are all the versions that are affected with these exploits:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

The Vulnerability:

The exploit details are as follows:

  • CVE-2021-34473 – The first vulnerability of ProxyShell is similar to the SSRF in ProxyLogon. It too appears when the frontend (known as Client Access Services, or CAS) is calculating the backend URL. When a client HTTP request is categorized as an Explicit Logon Request, Exchange will normalize the request URL and remove the mailbox address part before routing the request to the backend.
  • CVE-2021-34523 – Allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
  • CVE-2021-31207 – The last part of the exploit chain is to find a post-auth RCE technique using Exchange PowerShell commands.

The Remediation:

Patch the server with the following critical updates

Release date Product Impact Severity Article Download Details
May 11, 2021 Microsoft Exchange Server 2019 Cumulative Update 8 Security Feature Bypass Moderate 5003435 Security Update CVE-2021-31207
May 11, 2021 Microsoft Exchange Server 2016 Cumulative Update 19 Security Feature Bypass Moderate 5003435 Security Update CVE-2021-31207
May 11, 2021 Microsoft Exchange Server 2016 Cumulative Update 20 Security Feature Bypass Moderate 5003435 Security Update CVE-2021-31207
May 11, 2021 Microsoft Exchange Server 2019 Cumulative Update 9 Security Feature Bypass Moderate 5003435 Security Update CVE-2021-31207
May 11, 2021 Microsoft Exchange Server 2013 Cumulative Update 23 Security Feature Bypass Moderate 5003435 Security Update CVE-2021-31207
Jul 13, 2021 Microsoft Exchange Server 2019 Cumulative Update 8 Elevation of Privilege Important 5001779 Security Update CVE-2021-34523
Jul 13, 2021 Microsoft Exchange Server 2016 Cumulative Update 19 Elevation of Privilege Important 5001779 Security Update CVE-2021-34523
Jul 13, 2021 Microsoft Exchange Server 2016 Cumulative Update 20 Elevation of Privilege Important 5001779 Security Update CVE-2021-34523
Jul 13, 2021 Microsoft Exchange Server 2019 Cumulative Update 9 Elevation of Privilege Important 5001779 Security Update CVE-2021-34523
Jul 13, 2021 Microsoft Exchange Server 2013 Cumulative Update 23 Elevation of Privilege Important 5001779 Security Update CVE-2021-34523
Jul 13, 2021 Microsoft Exchange Server 2019 Cumulative Update 9 Remote Code Execution Critical 5001779 Security Update CVE-2021-34473
Jul 13, 2021 Microsoft Exchange Server 2013 Cumulative Update 23 Remote Code Execution Critical 5001779 Security Update CVE-2021-34473
Jul 13, 2021 Microsoft Exchange Server 2019 Cumulative Update 8 Remote Code Execution Critical 5001779 Security Update CVE-2021-34473
Jul 13, 2021 Microsoft Exchange Server 2016 Cumulative Update 19 Remote Code Execution Critical 5001779 Security Update CVE-2021-34473
Jul 13, 2021 Microsoft Exchange Server 2016 Cumulative Update 20 Remote Code Execution Critical 5001779 Security Update CVE-2021-34473

Reference:

 

If you are interested in learning more about how our team can help mitigate your risks, please click here to view our Cybersecurity Services.