Microsoft Patches 4 Additional Exchange FlawsNSA Calls on Exchange Customers to Immediately Update
Microsoft issued patches Tuesday for four new critical vulnerabilities in the company's on-premises Exchange Server software. The flaws were discovered by the U.S. National Security Agency and disclosed to Microsoft.
The company says customers using on-premises Exchange should prioritize these patches.
"We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats," the Microsoft Security Response Center says.
The NSA joined with Microsoft in urging users to make the updates immediately.
"The U.S. government will lead by example - we are requiring all agencies to immediately patch their Exchange servers as well," says Anne Neuberger, deputy national security adviser for cyber and emerging technology. "Cybersecurity is a top priority for the Biden administration, and we’re committed to sharing actionable and timely information to help the American public operate safely online."
In early March, Microsoft patched four other vulnerabilities in Exchange. The company believes a China-based group it calls Hafnium has exploited the flaws to gain persistent access to email systems, but researchers say several criminal groups have exploited the flaw.
RiskIQ estimated that in mid-March about 400,000 on-premises Exchange servers were vulnerable. Microsoft reported that as of March 26, more than 92%, or around 368,000, had been patched or mitigated.
In an unprecedented action, the FBI is now removing web shells from on-premises Microsoft Exchange servers at organizations in at least eight states that were infected in a wave of attacks earlier this year.
Additional Exchange Vulnerabilities
The four newly patched vulnerabilities are tracked as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483. All can lead to remote code execution if exploited, Microsoft says. On its exploitability index, the company rates each vulnerability as "exploitation more likely," which is only one slot below the most severe rating - "exploitation detected."
"Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw," says Satnam Narang, staff research engineer with Tenable. "With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately."
Chris Goettl, senior director of security with Ivanti, does not believe these are the last of the Exchange vulnerabilities to be disclosed.
"On the heels of serious exploit activity on Microsoft Exchange, you can expect security analysts at the NSA are finding more vulnerabilities," Goettl says. "Threat actors are also swarming around Microsoft Exchange to see what more they can find as well."
In other patching moves, Microsoft also issued a patch for the zero-day vulnerability CVE-2021-28310 in Desktop Window Manager that was uncovered by Kaspersky, which believes the vulnerability is being exploited in the wild, possibly by several threat groups.
"It is an escalation of privilege exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access," Kaspersky says.
The Kaspersky researchers say they could not capture a full chain, so they do not know if the exploit is being used with another browser zero-day or being coupled with known, patched vulnerabilities. The zero-day flaw is an out-of-bounds write vulnerability in dwmcore.dll, which is part of Desktop Window Manager. Due to the lack of bounds checking, attackers can create a situation that allows them to write controlled data at a controlled offset using DirectComposition API, Kaspersky says.
"This would allow an attacker to execute arbitrary code, create new accounts with full privileges, access and/or delete data and install programs," Narang says.