Microsoft Exchange Server Remote Code Execution (RCE) Vulnerability

By Fortra's Digital Defense

Microsoft Exchange Server Remote Code Execution (RCE) Vulnerability

On Tuesday, March 2nd, Microsoft released an out-of-band security update to mitigate four zero-day vulnerabilities that were observed being exploited in the wild against Microsoft Exchange Servers. A server-side request forgery (SSRF) being tracked as CVE-2021-26855 is the likely initial access for attackers.  Exploitation of this vulnerability will provide an attacker the ability to authenticate as the Exchange Server. Once authenticated, an attacker could use a deserialization vulnerability (CVE-2021-26857) in the Unified Messaging service to run code as SYSTEM on the Exchange Server.  Other options after initial authentication include writing code to arbitrary files, using either CVE-2021-26858 or CVE-2021-27065.  An attacker could use these last two vulnerabilities to gain a web shell for further exploitation and data exfiltration.  Affected systems are Microsoft Exchange Servers 2013, 2016, and 2019 and the patch KB5000871 should be applied immediately to mitigate these vulnerabilities.  More information about the specific vulnerabilities, alternative mitigations, as well as indicators of compromise can be found at https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Fortra VM has released two checks for these vulnerabilities.  An authenticated check “MS21-MAR: Microsoft Exchange Server Out-of-Band Security Update (144100)” was released in NIRV version 3.0.71.2 on March 4th, and an unauthenticated check “Microsoft Exchange Server Remote Code Execution Vulnerability (144133)” was released in NIRV version 3.0.72.0 on March 11th.

*At the time of this case study, Fortra VM and its corresponding security solutions were referred to under the Frontline brand.

Share This