Tuesday 9 March 2021

On-Perm Exchange security issues (March 2021) patch now

Overview

CVE-2021-26855
CVE-2021-26855 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26857
CVE-2021-26857 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26858
CVE-2021-26858 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-27065
CVE-2021-27065 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability

On the 2nd of Match Microsoft released information on an attack that was using the above CVE to take over Exchange servers on-perm.  Namely 2010, 2013, 2016, and 2019.

HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security

Following this news they also released updates and patch's for the affected systems

Released: March 2021 Exchange Server Security Updates - Microsoft Tech Community

Patchs

Older and unsupported upgrade paths
March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server - Microsoft Tech Community

Exchange 2010 (SP3)
Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: March 2, 2021 (KB5000978)

Exchange 2013 (CU 23)
Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

Exchange 2016 (CU19 or CU18)
Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

Exchange 2019 (CU8 or CU7)
Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

Mitigation

The goal would be to patch as soon as possible but you can mitigate the risks with the following

Microsoft Exchange Server Vulnerabilities Mitigations – updated March 6, 2021 – Microsoft Security Response Center

With an automatic script located here too to make it quicker
CSS-Exchange/Security at main · microsoft/CSS-Exchange · GitHub

Download

CSS-Exchange/ExchangeMitigations.ps1 at main · microsoft/CSS-Exchange · GitHub

Run with the following

ExchangeMitigations.ps1 -WebSiteNames “Default Web Site” -ApplyAllMitigations -Verbose

Test

You can test to see if your system has been compromised with the Test-ProxyLogon script from
CSS-Exchange/Security at main · microsoft/CSS-Exchange · GitHub

Download

Run with the following

Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

No comments:

Post a Comment