Just in Time Bulletin: Four More Zero-day Vulnerabilities in Microsoft Exchange Server
We have covered the 4 zero-day vulnerabilities in the Microsoft Exchange Server back in March 3rd, 2021.
There are additional Four more zero-day vulnerabilities – CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 – in Microsoft Exchange servers have been used in attacks in the wild.
What are CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483?
CVE-2021-28480 and CVE-2021-28481 are pre-authentication vulnerabilities in Microsoft Exchange Server. A pre-authentication vulnerability means that an attacker does not need to authenticate to the vulnerable Exchange Server in order to exploit the vulnerability. All the attacker needs to do is perform reconnaissance against their intended targets and then send specially crafted requests to the vulnerable Exchange Server.
CVE-2021-28482 and CVE-2021-28483 are post-authentication vulnerabilities in Microsoft Exchange Server. These are only exploitable once an attacker has authenticated to a vulnerable Exchange Server. However, these flaws could be chained together with a pre-authentication Exchange Server vulnerability to bypass that requirement.
How bad is this?
Active exploitation today: Exploited in the wild
- credentials not required
- authentication bypass
- results in Exchange controller compromise
Who is affected by this?
All 4 vulnerabilities – CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 – effects below 5 servers:
- Microsoft Exchange Server 2019 Cumulative Update 9
- Microsoft Exchange Server 2019 Cumulative Update 8
- Microsoft Exchange Server 2016 Cumulative Update 20
- Microsoft Exchange Server 2016 Cumulative Update 19
- Microsoft Exchange Server 2013 Cumulative Update 23
How are they exploited?
Please review the Microsoft Security Advisory for the exploitation details.
How do I protect myself?
Microsoft has released patches to address all 4 vulnerabilities and they emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.
NopSec strongly encourages organizations to apply these patches as soon as possible.