Exchange Servers 0-day exploits -HAFNIUM-

On March 2, 2021 Microsoft has released several security update for Microsoft Exchange Server to address the vulnerabilities that has beed exposed targeting on-premises version of Exchange server. Microsoft has categorised this as a critical vulnerabilities and recommended the update the Exchange Server as soon as possible.

The Exchange versions affected are: 

• Microsoft Exchange Server 2013  
• Microsoft Exchange Server 2016  
• Microsoft Exchange Server 2019 

NOTE: Exchange Online is not affected. also Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.

These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.

The vulnerabilities being exploited were:

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Security updates are available for the following specific versions of Exchange:

• Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
• Exchange Server 2013 (update requires CU 23)
• Exchange Server 2016 (update requires CU 19 or CU 18)
• Exchange Server 2019 (update requires CU 8 or CU 7)
• NEW! Security Updates for older Cumulative Updates of Exchange Server

Update # 4 – [16.03.2021]

Microsoft has released One-Click Microsoft Exchange On-Premises Mitigation Tool

Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities

Update # 3 – [09.03.2021]

Microsoft has released security update for older CUs.

Also you can now check for the malicious file detection on Exchange servers running E13, E16 or E19 versions using this Script

Microsoft Safety Scanner to scan the servers.

Update # 2 – [07.03.2021]

As a work around, Microsoft has released mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments while strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version.

Update # 1 – [06.03.2021]

Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) 

http-vuln-cve2021-26855.nse

This file is for use with nmap. It detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).

Download the latest release here:

Download http-vuln-cve2021-26855.nse

nmap --script http-vuln-cve2021-26855.nse exchange.server.url

Further information and sources:

• Microsoft Exchange Server Vulnerabilities Mitigations
• HAFNIUM targeting Exchange Servers with 0-day exploits
• Exchange Team Blog
• Tools