Overview
Several critical vulnerabilities in Microsoft Exchange have been discovered. The vulnerabilities are actively being exploited.
- CVE-2021-26412 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26854 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26855 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26857 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26858 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-27065 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-27078 - Microsoft Exchange Server Remote Code Execution Vulnerability
Vulnerable systems
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23::::::
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18::::::
- cpe:2.3:a:microsoft:exchange_server:2010:sp3:::::: (CVE-2021-26857)
Fixing and mitigation
For organisations having vulnerable Microsoft Exchange servers, we recommend the following:
It is recommended to prioritize installing updates on Exchange Servers which are externally facing. All affected Exchange Servers should ultimately be updated. Some of the vulnerabilities were already exploited in the wild, we strongly recommend to review the security and especially the logs of your Microsoft Exchange Server for any indicators of exploitation.
Only relying on patching is not sufficient. Patching wouldn’t secure already compromised servers. There were already Microsoft Exchange servers compromised by the 0-day and installed with persistent backdoor in the system. Meaning you can have a patched system with one or more threat-actors having still access. We strongly recommend to review the logs and apply standard incident response procedures.
We recommended to scan the potentially compromised Exchange Server with a script like:
- https://github.com/microsoft/CSS-Exchange/tree/main/Security
- https://github.com/cert-lv/exchange_webshell_detection
The indicators (IoC) are also available in various MISP sharing communities (MISP event uuid: fd875781-262e-4159-a0cd-ac0241784cc7).
For information and access requests please see https://www.circl.lu/services/misp-malware-information-sharing-platform/
At the current stage, any unpatched Microsoft Exchange server can be considered compromised due to the large availability of PoC exploit.
Who is using these vulnerabilities?
The Microsoft Exchange Server vulnerabilities were initially exploited by an activity group (called HAFNIUM by Microsoft) starting in late 2020. After the public release of the vulnerabilities, the vulnerabilities were exploited by a different set of activity groups/threat-actors. A new ransomware “DearCry” is using Microsoft Exchange Vulnerability to exploit and deploy the ransomware.
How can I check if my Exchange Server is patched?
The following list of files with their version are the patched version of ExSetup.exe. The file can be found in %ExchangeInstallPath%\bin\ExSetup.exe.
| CU | Filename | Patched version |
|---|---|---|
| Exchange 2010 CU 32 | ExSetup.exe | 14.3.513.0 |
| Exchange 2013 CU 21 | ExSetup.exe | 15.0.1395.12 |
| Exchange 2013 CU 22 | ExSetup.exe | 15.0.1473.6 |
| Exchange 2013 CU 23 | ExSetup.exe | 15.0.1497.12 |
| Exchange 2016 CU 12 | ExSetup.exe | 15.1.1713.10 |
| Exchange 2016 CU 13 | ExSetup.exe | 15.1.1779.8 |
| Exchange 2016 CU 14 | ExSetup.exe | 15.1.1847.12 |
| Exchange 2016 CU 15 | ExSetup.exe | 15.1.1913.12 |
| Exchange 2016 CU 16 | ExSetup.exe | 15.1.1979.8 |
| Exchange 2016 CU 17 | ExSetup.exe | 15.1.2044.13 |
| Exchange 2016 CU 18 | ExSetup.exe | 15.1.2106.13 |
| Exchange 2016 CU 19 | ExSetup.exe | 15.1.2176.9 |
| Exchange 2019 CU 3 | ExSetup.exe | 15.2.464.15 |
| Exchange 2019 CU 4 | ExSetup.exe | 15.2.529.13 |
| Exchange 2019 CU 5 | ExSetup.exe | 15.2.595.8 |
| Exchange 2019 CU 6 | ExSetup.exe | 15.2.659.12 |
| Exchange 2019 CU 7 | ExSetup.exe | 15.2.721.13 |
| Exchange 2019 CU 8 | ExSetup.exe | 15.2.792.10 |
Do I need to patch internal and non-exposed exchange server?
Yes.
Have you seen exploited server in Luxembourg?
Yes.
I applied the patch and I don’t have any resources for doing further investigation. What should I do?
In all the cases, we recommend to perform a full incident response process including the security review of the system.
If you have no resources for incident response, Microsoft provides Exchange On-premises Mitigation Tool which includes a mitigation process for already compromised and patched systems. This is not a ideal solution but it’s better than blindly patching.
What should I search in the logs of my exchange server?
Based on the IC3.gov document, the exploitation use XML SOAP POST requests on the unauthenticated part of the IIS. Review your logs for any POST requests of the resources in the following directory /owa/auth/Current/themes/resources/.
Review the ECP server logs (located in \Logging\ECP\Servers\) for S:CMD=Set-OabVirtualDirectory.ExternalUrl=.
References
- March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server
- Multiple Security Updates Released for Exchange Server – updated March 8, 2021
- Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
- How Tanium Can Help with the March 2021 Exchange Vulnerabilities (aka CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
- Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus
- Compromise of Microsoft Exchange Server and details about log analysis
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.3 - TLP:WHITE - Add Microsoft Defender Antivirus
- Version 1.2 - TLP:WHITE - Add Microsoft mitigation tool - 16 March 2021
- Version 1.1 - TLP:WHITE - Add a list of fixed version from ExSetup.exe - 15 March 2021
- Version 1.0 - TLP:WHITE - First version - 12 March 2021