Threat Response: Multiple Critical Vulnerabilities in Microsoft Exchange Server
On the evening of 13 April 2021, Microsoft released information about critical vulnerabilities in Exchange Server, as part of the monthly updates . The impact of these vulnerabilities is high, and in this message, we inform you about the threat and how to mitigate it.
Microsoft addresses 4 critical vulnerabilities in updates for Exchange Server. The vulnerabilities have been disclosed by the NSA and are registered by the following IDs and their relative CVSS-3.0 score:
- CVE-2021-28480 (9.8)
- CVE-2021-28481 (9.8)
- CVE-2021-28482 (8.8)
- CVE-2021-28483 (9.0)
The following versions are affected:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
All aforementioned vulnerabilities can lead to remote code execution on the targeted machine. Two of those, CVE-2021-28480 and CVE-2021-28481, do not require any authentication, so any remote attacker can run code without the necessity of having privileged access. The only requirement is that the Exchange Server is accessible directly from the internet.
The vulnerabilities can result in an attacker taking full control of the Exchange Server. From there on, they may proceed with other known techniques to acquire credentials, setting up a connection to Command-and-Control servers or exfiltrate data. Therefore, Northwave classifies the impact of the vulnerabilities as high.
Although currently no known public exploit exists, the information provided now can be used to craft new exploits. Therefore, Northwave expects a public exploit to be available soon. This will likely result in more attacks being carried out. Northwave estimates the risk of an attack to be high.
The risk related to these vulnerabilities is similar to the risk that accompanied the vulnerabilities that came to light last month. Northwave has received many reports of compromised servers during that campaign, that in some cases led to Ransomware infections. Therefore, it is of upmost importance to perform the mitigation steps outlined below as soon as possible on any vulnerable system, to reduce the risk of an attack.
As part of “Patch Tuesday”, Microsoft has release updates addressing the vulnerabilities. Northwave urges to roll these out as soon as possible. For more information, we refer to Microsoft’s update information .
Note: In some cases, the update might look to be successful, but has been stopped in the background by “User Account Control”. Please refer to the “Known Issues” section in the Microsoft pages .
What will Northwave do?
At this moment, technical details regarding these vulnerabilities are not yet published, and monitoring on abuse of these vulnerabilities is not yet possible. Northwave continues to investigate the possibilities for monitoring exploitation attempts of this vulnerability and will implement detection rules when possible.
Northwave monitors developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information, you can call us by phone or send us an email.
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.