If you are running Microsoft Exchange 2013, 2016, or 2019 you should be patching your servers as a priority. Four zero-day exploits have been seen in the wild that could if used in an attack chain, allowing an attacker the ability to run Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment. Next2IT recommends that the following patches provided by Microsoft should be deployed as soon as possible:
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
Due to the nature of the exploits available, it is recommended to ensure that the patches have been deployed correctly. Recent reports indicate engineers have experienced issues patching servers due to user account control. This can lead to the patches being deployed incorrectly thus not remediating the exploit vulnerability. Next2IT recommends that patches are applied locally as an administrator using an escalated command prompt.