NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Just in Time Bulletin: Four Zero-day Vulnerabilities in Microsoft Exchange Server

Sep 02, 2021

Four Microsoft zero-day vulnerabilities – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – in Microsoft Exchange servers have been used in chained attacks in the wild.

What are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065? 

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

How bad is this? 

CVE

CVSSv3 Score

CVE-2021-26855

9.1

CVE-2021-26857

7.8

CVE-2021-26858

7.8

CVE-2021-27065

7.8

 

Active exploitation today: Exploited in the wild

Severity: Critical

  • credentials not required
  • authentication bypass
  • results in domain controller compromise

Who is affected by this? 

All 4 vulnerabilities – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 –  effects below 5 servers:

  • Microsoft Exchange Server 2016 Cumulative Update 18
  • Microsoft Exchange Server 2019 Cumulative Update 7
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2019 Cumulative Update 8
  • Microsoft Exchange Server 2016 Cumulative Update 19

CVE-2021-26857 also affects Microsoft Exchange Server 2010 Service Pack 3.

How are they exploited? 

Please review the Microsoft security advisory for the exploitation details. 

How do I protect myself? 

Microsoft has released patches to address all 4 vulnerabilities and they emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. 

NopSec strongly encourages organizations to apply these patches as soon as possible

Additional Resources: