Microsoft Server Exchange Vulnerability's antidote

Microsoft reported on 25th March evening about an up-to-date Microsoft Defender Antivirus and System Center Endpoint Security will now mitigate CVE-2021-26855, one of four vulnerabilities, Microsoft discovered by observing hackers in the wild.

The Exchange security update is still the most comprehensive way to protect the servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help, protect customers while they take the time to implement the latest Exchange Server Update for their version of Exchange.

The implementation of a recent security intelligence update for Microsoft Defender Antivirus and System Center Endpoint Protection means that mitigations will be applied on vulnerable Exchange servers when the software is deployed, without any further input from users. 

Affected CVE - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 

How the vulnerability works?

  1. The hackers were observed in the wild take advantage of multiple CVEs that can result in exfiltration of email inboxes and remote code execution when chained together.
  2. Majorly, hackers are exploiting a server-side request forgery (SSRF) vulnerability named as CVE-2021-26855 to send arbitrary HTTP requests and authenticate as the Microsoft Exchange server.
  3. Using this SYSTEM-level authentication to send SOAP payloads that are insecurely deserialized by the Unified Messaging Service, as CVE-2021-26857.
  4. Additionally, taking advantage of CVE-2021-26858 and CVE-2021-27065 to upload arbitrary files such as webshells that allow further exploitation of the system along with a base to move laterally to other systems and networks. These file writes require authentication but this can be bypassed using CVE-2021-26855.

 

 

Remediations:

  • To address crucial vulnerabilities in Exchange Server, Microsoft has introduced an automated mitigation tool within Defender Antivirus.
  • According to the firm, Microsoft Defender Antivirus will automatically identify if a server is vulnerable and apply the mitigation fix once per machine. 
  • If automatic updates aren't allowed, users should manually install the latest update and ensure that their device is at least version 1.333.747.0 or newer. While cloud security is not needed in order to obtain the mitigation patch, the company advises that it be enabled as a best practice.
  • "The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases," Microsoft says. "This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange."