Advisory 16

TLP Rating: Clear

On-Premises Exchange Server Vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

CERT Vanuatu (CERTVU) and the Office of the Government Information Officer was alerted of these vulnerabilities by its international partners.

The CERTVU office would like to advise institutions and corporate companies with on-premises Exchange Servers. Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of MS Exchange servers in limited and targeted attacks.

What it looks like

  • CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is reserialized by a program. Exploiting this vulnerability gives an actor the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

 

References

  1. https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-forexchange-server/
  2. https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchangeservers/
  3. https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2021-002-activeexploitation-vulnerable-microsoft-exchange-servers
  4. https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilitiesmitigations-march-2021/
  5. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855