Over the last couple of days, Microsoft released out-of-band security updates to address multiple vulnerabilities in Microsoft Exchange that could allow an unauthenticated, remote attacker to exploit an Exchange Server by sending a specially crafted HTTP request over port 443 allowing the attacker to authenticate.
These are the recommended security updates:
- Update KB5000871 has been released for the latest release of the latest three versions of Microsoft Exchange (2013-2019) and the previous release for currently supported versions (2016, 2019).
- Update KB5000978 has been released for the latest release of Microsoft Exchange 2010.
At OneNeck, we take these threats very seriously and are actively creating patching baselines, working on plans and scheduling to apply these vulnerability patches with customers that have Managed Exchange Services with OneNeck.
Additional Information From Microsoft:
Mitigations (From Microsoft CVE)
The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
We recommend prioritizing installing updates on Exchange Servers that are externally facing.
FAQ (From Microsoft CVE)
Q: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack.
Q: What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
- Security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
- Security update for Microsoft Exchange Server 2010
- Microsoft Security Blog
- Microsoft CVE
- Mitre CVE
If you have any questions or concerns that you’d like to discuss with a OneNeck security expert, we’re here to help.
This post CVE-2021-26855 – Microsoft Exchange Server Remote Code Execution Vulnerability first appeared on OneNeck.