Zero-day Vulnerabilities in Microsoft Exchange Server
Microsoft announced in its latest update that it has fixed several zero-day vulnerabilities that are used in targeted attacks to infiltrate Exchange servers, and thus access to companies’ critical Mailbox and government, medical, academic centers, etc. In addition to accessing important emails, hackers drop other malware on the system to attain long-term access and execute other malicious commands by targeting vulnerable servers.
The 4 exploited vulnerabilities during these attacks are as follows:
-
CVE-2021-26855
A Server-Side Request Forgery (SSRF) vulnerability with a Critical CVSS score allows the intruder to send an arbitrary request and takes the Exchange Server authentication. Credits forged through this vulnerability are exploited by subsequent vulnerabilities.
-
CVE-2021-26857
A remote code execution vulnerability with a High CVSS score. It needs to be authenticated (Or obtained by vulnerability CVE-2021-26855).
-
CVE-2021-26858
A remote code execution vulnerability with a High CVSS score and if the attacker uses it after the previous two vulnerabilities it allows the attacker to create any file in any desired path.
-
CVE-2021-27065
A remote code execution vulnerability with a High CVSS score. TheCVE-2021-26858 is a vulnerability with the same features.
Using these vulnerabilities in attacks hackers first scan the Internet to identify vulnerable servers for vulnerabilities. Then CVE-2021-26855 identifies the server and sends HTTP requests that serve a specific purpose for authentication on these servers. In the next step and after successful authentication using the next 3 vulnerabilities, load WebShell executes malicious commands and takes control of the server.
vulnerable versions
-
Microsoft Exchange Server 2010
-
Microsoft Exchange Server 2013
-
Microsoft Exchange Server 2016
-
Microsoft Exchange Server 2019
Vulnerability testing method
To test for vulnerabilities, you can use the following script provided by Microsoft:
Security recommendations
The most important and safest way to prevent intrusion by these vulnerabilities is to install the provided security patches. But you should be careful that just installing the patch does not eliminate the risk, because these vulnerabilities have long been used by hackers, and if your server has already been hacked, the back door patch and other changes that hackers have made in your system Will not fix the data.
So as soon as possible:
-
Install the relevant patch to prevent further intrusions.
-
Check the Exchange Servers forensic. Do it yourself according to the logs on it and its network traffic.
-
If you have viewed any suspicious issue or were not able to investigate forensics, contact forensic teams. (As always, the insurance company is ready to provide advice on security issues and forensic investigation).
The following is a security update link for each of the vulnerabilities: