Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited in widespread attacks by hackers worldwide, affecting at least 30,000 organizations within the United States.
The critical vulnerabilities impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected. Below is a summary of each and a link to Microsoft's vulnerability database.
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another, or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
It is important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these three steps to assess the potential impact, remediate affected servers, and investigate compromised systems or data.
STEP 1: Determine if you have been impacted.
Quickly assess if you or your critical third parties have been impacted with this Microsoft Exchange Vulnerability Response Survey. Current Whistic customers can access the survey as a Standard questionnaire in the platform.
STEP 2: Immediately patch servers that have been impacted.
Microsoft strongly recommends that customers upgrade their Exchange environments to the latest supported version.
- This method is the only complete mitigation and has no impact on functionality.
- The following has details on how to install the security update.
- This will not evict an adversary who has already compromised a server.
For customers who cannot quickly apply updates, Microsoft is providing the following alternative mitigation techniques to help customers who need more time to patch their deployments and are willing to make risk and service function trade-offs.
Step 3: Investigate Exchange Deployments
As noted above, upgrading to the latest version does not address previously compromised systems or prevent bad actors that have already accessed systems from continuing to operate within the network. It is recommended that you investigate your Exchange deployments using the hunting recommendations here to ensure that they have not been compromised.