MR - stock.adobe.com

NSA unearths more MS Exchange vulnerabilities

Microsoft patches more critical vulnerabilities in Exchange Server a month after the ProxyLogon incident, after being warned by the US National Security Agency

Just weeks after the disclosure of a series of critical zero-days in Microsoft Exchange Server caused consternation in the cyber community, Microsoft has patched four new vulnerabilities in the same product set in its April 2021 Patch Tuesday drop, after being alerted to them by the US National Security Agency (NSA).

The four vulnerabilities in question impact Exchange Server 2013, 2016 and 2019, and have been assigned CVEs 2021-28480, -28481, -28482 and -28483. Their common vulnerability scoring system (CVSS) ratings range from 8.8 to 9.8 and three are rated critical, carrying a CVSS score of more than nine. Two of them, -28480 and -28481, are pre-authentication, which means an attacker does not need to authenticate to a vulnerable Exchange server to exploit them.

Unlike the ProxyLogon vulnerabilities, Microsoft does not believe they have been exploited in the wild yet, but if successfully taken advantage of, they would enable remote code execution (RCE), giving malicious actors free rein within their target networks.

In a blog post, Microsoft said recent events had shown how security hygiene and patch management were more important than ever, so it was crucial for users of its products to ensure they were keeping up to date.

“Microsoft is committed to supporting our customers through this and we urge customers to make every effort to update their software to the latest supported version and install security updates, if automatic updates are not already turned on, as soon as possible to help protect from today’s dynamic threat landscape,” said Redmond.

“It is common for attackers to shift their efforts to exploit recently disclosed vulnerabilities before the latest updates or patches are installed, which is why it is so important that customers migrate to the latest supported software.

“This month’s release includes a number of critical vulnerabilities that we recommend you prioritise, including updates to protect against new vulnerabilities in on-premise Exchange Servers. Given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats. Customers using Exchange Online are already protected and do not need to take any action.”

The UK’s National Cyber Security Centre (NCSC) said: “As part of Microsoft’s scheduled April update cycle, a number of critical severity vulnerabilities were addressed in Microsoft Exchange. We have no information to suggest that these vulnerabilities are being used in active exploitation. However, given the recent focus on Exchange, we recommend the installation of updates as soon as practicable, as attackers may seek to build exploit capability which could be used against systems before the updates are applied.”

The US Cyber Security and Infrastructure Security Agency (CISA) also issued an emergency directive urging organisations to apply the April patches, and has issued new direction requiring US federal bodies to update immediately. Private sector organisations are also strongly urged to do the same.

CVEs top 100 for first time in 2021

The full Patch Tuesday drop addresses 108 CVEs in total, 19 rated critical. This is the first time in 2021 that Microsoft has patched more than 100 CVEs at once.

Chris Goettl, Ivanti’s senior director of product management, said: “There are a lot of vulnerabilities being resolved this month. The good news is that most of them are in the OS. Knocking the OS out quickly will reduce a significant amount of risk this month. Top priorities this month should include the Windows OS, Edge (Chromium), and Exchange Server.”

Justin Knapp, senior product marketing manager at Automox, said he expected the bumper patch to be a harbinger of things to come.

“This represents an overall upward trend that is expected to continue throughout the year and draw greater urgency around patching velocity to ensure organisations are not taking on unnecessary exposure, especially given the increased exploitation of known, dated vulnerabilities,” he said.

“With the dramatic shift to remote work in 2020 now becoming a permanent fixture in 2021, it is also worth noting the significance of employing measures that can immediately push newly released security updates across a more decentralised, diverse set of assets and environments.”

Besides the Exchange Server vulnerabilities, Tenable staff research engineer Satnam Narang highlighted CVE-2021-28310 as one to watch. This is a Win32K elevation of privilege zero-day vulnerability.

“Exploitation of this vulnerability would give the attacker elevated privileges on the vulnerable system,” said Narang. “This would allow an attacker to execute arbitrary code, create new accounts with full privileges, access and/or delete data and install programs.

Read more about Patch Tuesday

“Elevation-of-privilege vulnerabilities are leveraged by attackers post-compromise, once they have managed to gain access to a system in order to execute code on their target systems with elevated privileges.”

Allan Liska, senior security architect at Recorded Future, added some other highlights that CISOs may want to prioritise this month.

“There are several remote code execution [RCE] vulnerabilities in Microsoft Office products released this month as well,” he said. “CVE-2021-28454 and CVE-2021-28451 are RCE vulnerabilities in Microsoft Excel, while CVE-2021-28453 is an RCE vulnerability in Microsoft Word and CVE-2021-28449 is an RCE vulnerability in Microsoft Office. All four vulnerabilities are labelled by Microsoft as Important. These vulnerabilities impact all versions of their respective products, including Office 365.

“CVE-2021-28312 is one of the publicly disclosed vulnerabilities. It is a denial-of-service [DoS] vulnerability in Windows NTFS. This vulnerability impacts Windows NTFS running on Windows 10 and Windows Server 2019. Microsoft rates this vulnerability as Moderate. 

“Another publicly disclosed vulnerability is CVE-2021-27091 – this is an elevation of privilege vulnerability in the RPC Endpoint Mapper. Microsoft labelled this vulnerability Important and it impacts Windows 7 and Windows Server 2008 and 2012. While RPC vulnerabilities are not usually widely exploited in the wild, this could be an interesting one to watch out for as attackers often use RPC to execute code on remote systems. This vulnerability would allow an attacker to execute remote code at a higher privileged level.”

Read more on Application security and coding requirements

CIO
Security
Networking
Data Center
Data Management
Close