Advisory 16

TLP Rating: White

On-Premises Exchange Server Vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

CERT Vanuatu (CERTVU) and the Office of the Government Information Officer was alerted of these vulnerabilities by its international partners.

The CERTVU office would like to advise institutions and corporate companies with on-premises Exchange Servers. Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of MS Exchange servers in limited and targeted attacks.

What it looks like

  • CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is reserialized by a program. Exploiting this vulnerability gives an actor the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

What this means

The threat actor(s) who capitalize on these vulnerabilities to access on-premises Exchange Servers which enables access to email accounts, and allow installation of additional malware to facilitate longterm access to victim environment.

For example, The CVE-2021-26855 vulnerability does not require authentication, and is trivial to exploit. Once initial exploitation is successful actors are able to retrieve e-mail inventories from all users stored on the server. Moreover, malicious actors can exploit one of the other vulnerabilities to achieve arbitrary remote code execution or arbitrary file upload on the targeted server.

Malicious actors have leveraged these vulnerabilities to establish persistence utilizing web shells on the compromised Microsoft Exchange servers, enabling further compromise of the Exchange server and associated internal network.

 

Background information of the attacker(s)

Microsoft Threat Intelligence Center (MSTIC) is associating this attack with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China.

Which Microsoft Exchange systems are Vulnerable?

The vulnerability exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065.

The MS Exchange Servers affected are MS Exchange 2010, MS Exchange 2013, MS Exchange 2016 and MS Exchange 2019.

Exchange on-line is NOT affected .

Prevention

  1. Immediately apply updates and patches from Microsoft for the affected MS Exchange Server versions;
  2. If patching from Microsoft cannot be executed immediately, apply these following temporary measures:
  3. Prevent access to vulnerable Microsoft Exchange Servers from the Internet; or
  4. Remove vulnerable Microsoft Exchange Servers from the Network.
  5. Implement the interim mitigations advised by Microsoft as shown below:

Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019:

  • Implement an IIS Re-Write Rule to filter malicious https requests
  • Disable Unified Messaging (UM)
  • Disable Exchange Control Panel (ECP) VDir
  • Disable Offline Address Book (OAB) VDir

References

  1. https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-forexchange-server/
  2. https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchangeservers/
  3. https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2021-002-activeexploitation-vulnerable-microsoft-exchange-servers
  4. https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilitiesmitigations-march-2021/
  5. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855