TR-61 - Critical vulnerabilities in Microsoft Exchange

Overview

Several critical vulnerabilities in Microsoft Exchange have been discovered. The vulnerabilities are actively being exploited.

  • CVE-2021-26412 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26854 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26855 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26857 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26858 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27065 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27078 - Microsoft Exchange Server Remote Code Execution Vulnerability

Vulnerable systems

  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23::::::
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18::::::
  • cpe:2.3:a:microsoft:exchange_server:2010:sp3:::::: (CVE-2021-26857)

Fixing and mitigation

For organisations having vulnerable Microsoft Exchange servers, we recommend the following:

It is recommended to prioritize installing updates on Exchange Servers which are externally facing. All affected Exchange Servers should ultimately be updated. Some of the vulnerabilities were already exploited in the wild, we strongly recommend to review the security and especially the logs of your Microsoft Exchange Server for any indicators of exploitation.

Only relying on patching is not sufficient. Patching wouldn’t secure already compromised servers. There were already Microsoft Exchange servers compromised by the 0-day and installed with persistent backdoor in the system. Meaning you can have a patched system with one or more threat-actors having still access. We strongly recommend to review the logs and apply standard incident response procedures.

We recommended to scan the potentially compromised Exchange Server with a script like:

The indicators (IoC) are also available in various MISP sharing communities (MISP event uuid: fd875781-262e-4159-a0cd-ac0241784cc7).

For information and access requests please see https://www.circl.lu/services/misp-malware-information-sharing-platform/

At the current stage, any unpatched Microsoft Exchange server can be considered compromised due to the large availability of PoC exploit.

Who is using these vulnerabilities?

The Microsoft Exchange Server vulnerabilities were initially exploited by an activity group (called HAFNIUM by Microsoft) starting in late 2020. After the public release of the vulnerabilities, the vulnerabilities were exploited by a different set of activity groups/threat-actors. A new ransomware “DearCry” is using Microsoft Exchange Vulnerability to exploit and deploy the ransomware.

How can I check if my Exchange Server is patched?

The following list of files with their version are the patched version of ExSetup.exe. The file can be found in %ExchangeInstallPath%\bin\ExSetup.exe.

CU Filename Patched version
Exchange 2010 CU 32 ExSetup.exe 14.3.513.0
Exchange 2013 CU 21 ExSetup.exe 15.0.1395.12
Exchange 2013 CU 22 ExSetup.exe 15.0.1473.6
Exchange 2013 CU 23 ExSetup.exe 15.0.1497.12
Exchange 2016 CU 12 ExSetup.exe 15.1.1713.10
Exchange 2016 CU 13 ExSetup.exe 15.1.1779.8
Exchange 2016 CU 14 ExSetup.exe 15.1.1847.12
Exchange 2016 CU 15 ExSetup.exe 15.1.1913.12
Exchange 2016 CU 16 ExSetup.exe 15.1.1979.8
Exchange 2016 CU 17 ExSetup.exe 15.1.2044.13
Exchange 2016 CU 18 ExSetup.exe 15.1.2106.13
Exchange 2016 CU 19 ExSetup.exe 15.1.2176.9
Exchange 2019 CU 3 ExSetup.exe 15.2.464.15
Exchange 2019 CU 4 ExSetup.exe 15.2.529.13
Exchange 2019 CU 5 ExSetup.exe 15.2.595.8
Exchange 2019 CU 6 ExSetup.exe 15.2.659.12
Exchange 2019 CU 7 ExSetup.exe 15.2.721.13
Exchange 2019 CU 8 ExSetup.exe 15.2.792.10

Do I need to patch internal and non-exposed exchange server?

Yes.

Have you seen exploited server in Luxembourg?

Yes.

I applied the patch and I don’t have any resources for doing further investigation. What should I do?

In all the cases, we recommend to perform a full incident response process including the security review of the system.

If you have no resources for incident response, Microsoft provides Exchange On-premises Mitigation Tool which includes a mitigation process for already compromised and patched systems. This is not a ideal solution but it’s better than blindly patching.

What should I search in the logs of my exchange server?

Based on the IC3.gov document, the exploitation use XML SOAP POST requests on the unauthenticated part of the IIS. Review your logs for any POST requests of the resources in the following directory /owa/auth/Current/themes/resources/.

Review the ECP server logs (located in \Logging\ECP\Servers\) for S:CMD=Set-OabVirtualDirectory.ExternalUrl=.

References

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.3 - TLP:WHITE - Add Microsoft Defender Antivirus
  • Version 1.2 - TLP:WHITE - Add Microsoft mitigation tool - 16 March 2021
  • Version 1.1 - TLP:WHITE - Add a list of fixed version from ExSetup.exe - 15 March 2021
  • Version 1.0 - TLP:WHITE - First version - 12 March 2021