Confirmed Affected Software:
Microsoft Exchange [1]
Executive Summary
Earlier this month, Microsoft published information about a series of vulnerabilities that affect the on-premises version of the email server Exchange. If exploited, these vulnerabilities can lead to a serious compromise of the server and environment in which the server is housed.
The information contained within this alert has been derived from multiple sources and is accurate as of the date of publishing. We are expecting future updates to be made to this alert as more information becomes available.
These vulnerabilities are being actively exploited in the wild around the world primarily by the HAFNIUM threat actor to gain access to on-premises Exchange servers. While some reporting highlights attacks specifically targeting US-based companies and entities, there is global impact and victims are located worldwide. Chaining these vulnerabilities allows unauthenticated remote attackers to execute arbitrary code on the Exchange server, completely compromising the system. The issues were discovered by Microsoft by examining ongoing attack campaigns in the wild.
Herein, we have compiled a listing of publicly reported information about the vulnerabilities, how to check whether an Exchange server is vulnerable, and how to check whether there is evidence a server has been compromised. We recommend that any entity running an Internet facing exchange server move without delay to patch vulnerable servers and to check whether there is any evidence that a server has been compromised. For assistance with either process, please contact Aon’s Cyber Solutions.
Vulnerability Listing
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
1. CVE-2021-26855 (Exchange Server SSRF Vulnerability)
CVSS:3.0 9.1 / 8.4
Overview
A server-side request forgery (SSRF) vulnerability has been discovered in Exchange and has been assigned CVE-2021-26855. This vulnerability allowed an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
Microsoft has released a Nmap script to test an OWA installation for this vulnerability:
https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse
Example:
> nmap --script http-vuln-cve2021-26855.nse -sV -p443 -vv -n [target] […] PORT STATE SERVICE REASON VERSION 443/tcp open ssl/http syn-ack Microsoft IIS httpd 8.5 |_http-server-header: Microsoft-IIS/8.5 | http-vuln-cve2021-26855: | VULNERABLE: | Exchange Server SSRF Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2021-26855 | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies. | | Disclosure date: 2021-03-02 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855 |_ http://aka.ms/exchangevulns Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
2. CVE-2021-26857 (Arbitrary File Write)
CVSS:3.0 7.8 / 7.2
An insecure deserialization vulnerability has been discovered in the Unified Messaging service and has been assigned CVE-2021-26857. The vulnerability class insecure deserialization is where untrusted user-controllable data is deserialized by a program, potentially leading to arbitrary code execution. Exploitation of this vulnerability gave the HAFNIUM threat actor the ability to run code under the SYSTEM security context on the Exchange server. Administrator permissions or another vulnerability are required to exploit this vulnerability.
3. CVE-2021-26858 (Arbitrary File Write)
CVSS:3.0 7.8 / 7.2
An authenticated arbitrary file write vulnerability has been discovered in Exchange and has been assigned CVE-2021-26858. Attackers able to authenticate with the Exchange server can exploit this vulnerability to write a file to an arbitrary location on the system. This vulnerability can be chained with the CVE-2021-26855 SSRF vulnerability to allow an unauthenticated attack.
4. CVE-2021-27065 (Arbitrary File Write)
CVSS:3.0 7.8 / 7.2
An authenticated arbitrary file write vulnerability has been discovered in Exchange and has been assigned CVE-2021-27065. Attackers able to authenticate with the Exchange server can exploit this vulnerability to write a file to an arbitrary location on the system. This vulnerability can be chained with the CVE-2021-26855 SSRF vulnerability to allow an unauthenticated attack.
Remediation
If possible, Microsoft recommends applying the released security updates immediately to all affected Exchange servers. The updates and related details are available here:
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Temporary mitigations are also available in case updates cannot be immediately applied, specifically the following actions should be done to temporarily mitigate attacks:
| Mitigation | Related CVE |
| Implement an IIS Re-Write Rule to filter malicious https requests | CVE-2021-26855 |
| Disable Unified Messaging (UM) | CVE-2021-26857 |
| Disable Exchange Control Panel (ECP) VDir | CVE-2021-26858, CVE-2021-27065 |
| Disable Offline Address Book (OAB) VDir | CVE-2021-26858, CVE-2021-27065 |
Microsoft has released the following script to apply all above mitigations:
https://github.com/microsoft/CSS-Exchange/blob/main/Security/ExchangeMitigations.ps1
The applied mitigations require the IIS URL Rewrite Module installed to work, which can be installed using the script. The mitigations can affect Exchange functionality and can also be rolled back using the same script if needed.
These mitigations will not evict an attacker who was able to compromise the server to gain access, refer to the Detection section for additional details on detecting ongoing compromises. For further information, see the following Microsoft post:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Detection
It’s recommended to start an immediate investigation to determine if an attacker was already able to exploit these issues to gain access to any Exchange server that may have been exposed. This should be done in parallel after applying the recommended remediations.
Microsoft has detailed the manual steps required to check Exchange logs for attacks in the following blog post, this involves collecting the related services logs and scanning for IOC:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
A script has also been released to automate these checks and collect the related logs:
https://github.com/microsoft/CSS-Exchange/blob/main/Security/Test-ProxyLogon.ps1
Example usage:
#check local server and collect files .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs -CollectFiles
An additional script is available to scan the Exchange installation to identify potentially malicious file:
https://github.com/microsoft/CSS-Exchange/blob/main/Security/CompareExchangeHashes.ps1
Usage:
.\CompareExchangeHashes.ps1
How We Can Help
Aon’s Cyber Solutions can help you Seek, Shield and Solve your cyber security problems. Aon is a leading independent CREST and NCSC CHECK “Green” service provider who specializes in offering bespoke professional security assurance and risk transfer services to a wide range of clients within both the private and public sectors – including penetration testing, digital forensics and incident response, cyber risk quantification and cyber insurance broking.
For organizations with a potential vulnerability, identifying and remediating vulnerabilities can be critical to limit the exposure of the business. If these vulnerabilities, or any other form of vulnerability, affects your organization our security testing team is on hand to help you identify vulnerabilities that could adversely affect your organization and advise how best to remediate them.
For organizations with a potential supply chain or third-party vulnerability, understanding and identifying possible indicators of compromise to understand the impact and scope can be critical to the management of defending against an attack before the damage is done – or before learning about a breach from a third party or the media.
Our compromise assessment service allows companies to perform targeted analysis and gather potential evidence to answer the question: “Have we already been compromised?” We conduct forensic analysis to identify ongoing or historic intrusions in an environment. We use a combination of leading technologies, proprietary tools, and robust methodologies to help unearth attack vectors, techniques, and technology. By proactively searching for evidence of compromise or intent, we can help identify widely known attack patterns as well as potentially suspicious activity and outliers which might otherwise evade traditional or more automated security solutions.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT Department before implementing any recommendation or the guidance provided herein. Further, the information provided, and the statements expressed are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. Among other things, Microsoft making changes or other parties providing updated information on these vulnerabilities or the actions of HAFNIUM or other threat actors.
Source
