Five Zero Days, Four in Exchange Server, Patched by Microsoft
The bugs, discovered by the NSA, "could allow persistent access and control of enterprise networks."
Microsoft patched four more Exchange Server vulnerabilities as part of its regularly scheduled Patch Tuesday updates this week, just weeks after it after it patched four other Exchange zero day vulnerabilities it said it observed being used in targeted attacks.
All of the Exchange bugs fixed Tuesday (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) are remote code execution vulnerabilities – meaning they’re considered critical and can lead to data loss. All can be found in Exchange Server, 2013, 2016, and 2019.
These bugs weren't found internally; the National Security Agency (NSA) discovered the vulnerabilities and reported them to Microsoft.
“After we disclosed these vulnerabilities to Microsoft, they promptly created a patch. NSA values partnership in the cybersecurity community. No one organization can secure their networks alone," the NSA said in a statement Tuesday. In a post on Twitter following the news, the NSA warned that the vulnerabilities could "could allow persistent access and control of enterprise networks."
It's the second time in recent memory that the NSA has alerted the company of a severe vulnerability. In January 2020, the agency let the company know of a critical issue in Windows 10 that could have let attackers carry out man-in-the-middle attacks.
News of these bugs comes only a few weeks removed from the first wave of Exchange vulnerabilities, patched at the beginning of March. Those vulnerabilities were exploited via a state-sponsored group Microsoft said it believes operates out of China dubbed Hafnium. The company was forced to issue an out of band patch for those bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) after it reported they were being used to bypass authentication to access on-premises mail servers and steal emails.
For the latest round of vulnerabilities, administrators will want to pay attention to the different update paths Microsoft has supplied if their version of Exchange Server is running one of the supported Cumulative Updates, CU23, CU19 and CU20, or CU8 and CU9.
While none of the bugs are currently being exploited in the wild, given the recent onslaught of vulnerabilities uncovered in Exchange, Microsoft is encouraging administrators patch as soon as possible.
"Given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats," the company said in a blog post to its Security Response Center.
The United States Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) were among some of the first agencies, domestically and abroad, to recommend organizations patch as soon as possible.
CISA in particular is asking all federal entities to patch the Exchange vulnerabilities by 12:01 a.m. Friday.
"CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information," CISA wrote in a supplement to its Emergency Directive 21-02 Tuesday.
At first glance, the bugs fixed this week actually sound more severe than the bugs exploited by the Hafnium APT group. Those bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) had CVSS 3.0 ratings of 9.1, 7.8, 7.8, and 7.8. This week's are 9.8, 9.8, 8.8, and 7.8 respectively.
Not patched this week was a vulnerability in Exchange Server unearthed at last week’s Pwn2Own hacking competition. Details of that bug aren't fully known, other than that it combines an authentication bypass and a local privilege escalation. Assuming specifics about the vulnerability don’t spill out, it’s more likely we'll see a patch for it in next month’s Patch Tuesday updates.
The four Exchange bugs were some of 114 vulnerabilities fixed by Microsoft on Tuesday. One of those bugs lost in the shuffle of yesterday's deluge of patches was a fix for another zero day, CVE-2021-28310, in Desktop Window Manager uncovered by Kaspersky Lab researchers in February.
The bug, a Win32k elevation of privilege vulnerability in Desktop Window Manager, is believed to be the only bug patched yesterday that’s currently being exploited in the wild. Researchers with the firm said Tuesday they weren't able to determine the exploit's full infection chain but that it's possible the bug is being used with other browser exploits to escape sandboxes or obtain system privileges.
Additional bugs in Windows, Edge, SharePoint Server, Hyper-V, Visual Studio, Team Foundation Server, and Azure and Azure DevOps Server were also resolved this week.
The patches came on the same day that the Justice Department disclosed a court-authorized effort to disrupt the exploitation of the Exchange vulnerabilities targeted by attackers in January and February.
In an announcement Tuesday evening, the DOJ described how it was able to delete malicious webshells from hacked Exchange instances without users’ knowledge. By issuing commands through the web shell to the server, the FBI was able to remove web shells from hundreds of web shells from compromised networks.