Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities

The U.S. National Security Agency (NSA) has identified four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 which are used for on-premises Microsoft Exchange Servers. Immediate patching is required as the flaws are likely to be targeted by threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch all vulnerable on-premises Exchange Servers by 12.01 AM on Friday April 16, 2021 due to the high risk of exploitation of the flaws. At the time of issuing the patches there have been no known cases of exploitation of the flaws in the wild, but it is likely that now the flaws have been publicly disclosed, the patches could be reverse engineered and working exploits developed.

All four of the vulnerabilities could lead to remote execution of arbitrary code and would allow threat actors to take full control of vulnerable Exchange Servers as well as persistent access and control of enterprise networks.

Two of the vulnerabilities can be exploited remotely by unauthenticated attackers with no user interaction required. Both of those flaws, tracked as CVE-2021-28480 and CVE-2021-28481, have been assigned a CVSS v3.1 rating of 9.8 out of 10. The third flaw, CVE-2021-28483 has a CVSS rating of 9.0 out of 10, and the fourth, CVE-2021-28482, a rating of 8.8 out of 10.

If any vulnerable Microsoft Exchange Servers cannot be updated before the Friday deadline, CISA has instructed federal agencies to remove those servers from federal networks until the updates can be applied. Technical and/or management controls must be implemented to ensure newly provisioned and previously disconnected endpoints are updated prior to connecting them to agency networks. CIOs or equivalents are required to submit a report to CISA by Noon ET on Friday confirming that all vulnerable Exchange Servers have been updated or disconnected, and should any cyber incidents be detected, Indicators of Compromise must be submitted to CISA.

Patches to correct all four flaws were released by Microsoft on April 2021 Patch Tuesday, along with patches for a further 15 critical flaws across its product suite and 88 flaws that were rated important. One zero-day vulnerability has been patched – a Win32K elevation of privilege vulnerability: CVE-2021-28310 – which Kaspersky believes is being actively exploited in the wild by at least one threat group. In combination with browser exploits, attackers can escape sandboxes and gain system privileges for further access. Exploitation would allow the remote execution of arbitrary code, the creation of new accounts with full privileges, information disclosure and destruction, and the ability to install new programs.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.