Microsoft urges Exchange Server admins to fix wild-exploited bug

Microsoft Exchange
Microsoft Exchange
Written by Emma Davis
Microsoft warned admins today to immediately patch a high severity Exchange Server vulnerability that may allow authenticated attackers to execute code remotely on vulnerable servers.

The vulnerability (CVE-2021-42321) affects all supported versions of Exchange Server (2013 SP1 and later) and all supported platforms (physical, virtual, and cloud-based Exchange servers, e.g. Office 365) according to the advisory issued by the Microsoft Malware Protection Center.

For a quick inventory of all Exchange servers in your environment behind on updates (CUs and SUs), you can use the latest version of the Exchange Server Health Checker script.

The Microsoft Security Response Center published information on the vulnerability last week and recommends administrators patch and reboot affected servers.

The vulnerability can be exploited by attackers who have an active presence on the system where the Exchange server is running.

A remote attacker might be able to execute code on an affected system by sending specially crafted Exchange Server messages. For example, an attacker who successfully exploited this vulnerability could take full control of an affected system.Microsoft warned
Exchange Server update paths (Microsoft)

Exchange Server update paths (Microsoft)

The vulnerabilities can be exploited through insecure Exchange ActiveSync or ActiveSync Services.

An attacker could send an email from a compromised system with an attached Microsoft Word document. The document could include a malicious macro that would execute if the user accepted the document or clicked on a link inside the document. If the exploit is successful, the attacker could gain access to email messages from an affected system, including sent and received message contents.Microsoft explains

Microsoft told The Register that the vulnerability is a four-stage attack vector where an attacker uses a malicious attachment in an email message to take control of a server running Exchange Server.

The attacker also has to be logged in with elevated privileges on the server, such as using admin rights, to perform the attack.

The security advisory contains a proof-of-concept exploit that can be executed by a Microsoft customer with a low-security posture. It can be accessed on GitHub here.

Fortunately for most Exchange customers, there are other measures that can be taken to mitigate the risk.

The first one is to ensure that Exchange ActiveSync and ActiveSync Services are disabled or switched off in Exchange server settings.

Second, customers should use a proper Exchange client to manage email messages. Other solutions are available in the marketplace like Thunderbird or Outlook Mobile.

Microsoft advises that clients that don’t meet its minimum requirements, such as no Exchange ActiveSync or ActiveSync Services or Exchange ActiveSync Manager, should not be installed in the first place.

Office 365 admins should also check and update all Exchange servers in the Office 365 Admin Center.

If you want to check and see if any of your Exchange servers were hit by CVE-2021-42321 exploitation attempts, you have to run the following PowerShell query on each Exchange server to check for specific events in the Event Log:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }
Let me remind you that I also talked about the fact that New vulnerabilities in Microsoft Exchange have already affected tens of thousands of organizations.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply