Exchange Server Vulnerabilities Discovered by Hackers. In early January of this year (2021), Microsoft informed security expert Brian Krebs that the company found four Zero-Day security flaws in their Exchange Server. A persistent threat group known as Halfnium, sponsored by the Chinese government were exploiting those flaws.
According to Microsoft’s statistics, more than 30,000 Exchange Servers already have impacts, with some industry experts putting that number closer to 60,000.
Halfnium was the first group to begin exploiting these security flaws. However, there is a growing body of evidence that the most recent attacks are from groups other than Halfnium, which means that word is out.
If there’s a silver lining, it lies in the fact that Microsoft moved quickly and issued a patch to address all four of the security issues. Unfortunately, the speed at which new security patches vary wildly from one organization to the next. At present, there are millions of Exchange server vulnerabilities discovered around the world still vulnerable to these attacks.
If you use Exchange Server, you owe it to yourself to make sure you’re installing the latest security patch.
For your reference, the four flaws addressed by the patch are as follows:
- CVE-2021-26855: CVSS 9.1: A Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests sent by unauthenticated attackers. Servers need to be able to accept untrust connections over port 443 for the bug to be triggers.
- CVE-2021-26857: CVSS 7.8: An insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. Note that this vulnerability needs to combine with another or must use stolen credentials.
- CVE-2021-26858: CVSS 7.8: and CVE-2021-27065: CVSS 7.8: A post-authentication arbitrary file write vulnerability to write to paths.
This is a serious issue that could have catastrophic ripple effects. Again, if you use Exchange Server, check your patch status right away.