Multiple Vulnerabilities in Microsoft Exchange Server

  • CERT Admin
  • Fri Mar 05 2021
  • Alerts

Systems Affected

  ✻ Microsoft exchange server 2019 cumulative update 7
  ✻ Microsoft exchange server 2019 cumulative update 8
  ✻ Microsoft exchange server 2016 cumulative update 18
  ✻ Microsoft exchange server 2016 cumulative update 19
  ✻ Microsoft exchange server 2013 cumulative update 23


Threat Level

High


Overview 

Multiple vulnerabilities have been identified in the Microsoft Exchange server which could allow an attacker to execute arbitrary codes on the targeted system.  
✻ CVE-2021-26855 - Server-side request forgery
✻ CVE-2021-26857 - Vulnerability in unified messaging service
✻ CVE-2021-26858 - Vulnerability in post-authentication arbitrary file write
✻ CVE-2021-27065 - Vulnerability in post-authentication arbitrary file write
 


Description 

These vulnerabilities exist in the Microsoft Exchange server due to having untrusted connections with Exchange server on port 443. An attacker could exploit these vulnerabilities by alluring a target user to open a maliciously crafted file.
A successful exploit of this vulnerability may result in the complete compromise of the vulnerable system.  


Impact

✻ Exposing sensitive information to unauthorized parties
✻ Unauthorized access
✻ Execute of unwanted/malicious programs/codes
 

Solution/ Workarounds

Apply appropriate patches as mentioned below,
  ✻ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
  ✻ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
  ✻ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
  ✻ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
 

References

  ✻ https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html
  ✻ https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
  ✻ https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
  ✻ https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
  ✻ https://www.cert-in.org.in/
 

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.



Last updated: Tue Mar 02 2021