Bryson Medlock

Bryson Medlock
on April 13, 2021

Another round of Microsoft Exchange vulnerabilities

Another round of Microsoft Exchange vulnerabilities

We warned you last week that more critical Exchange vulnerabilities were on the horizon and this week proves our words to be prophetic. Today is April 2021’s Patch Tuesday, the normal day of the month where Microsoft releases patches, which typically occurs on the 2nd Tuesday of each month.

In today’s release, there were four critical updates to Microsoft Exchange to mitigate CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483.

All four of these new critical vulnerabilities lead to Remote Command Execution (RCE) – similar to the Proxylogon vulnerabilities we spent all of March dealing with – and two of them work for unauthenticated users.

Unlike Proxylogon, there is no evidence so far that anyone has exploited these vulnerabilities, which means that there’s still time to patch your systems before we start seeing bad guys dropping shells and ransomware everywhere.

The four vulnerabilities in question were reported to Microsoft by the NSA and there is no confirmation at this time whether or not these are related to the exploits used during last week’s Pwn2Own competition we mentioned in our last weekly threat report.

Microsoft does rate the complexity of the vulnerabilities as low and they mentioned in their FAQ that the mitigation techniques we previously discussed will not work to mitigate these new vulnerabilities. So far, the only and best recommendation is to patch your on-premises Exchange servers as quickly as possible. Though we have not seen anyone exploiting these vulnerabilities yet, industrious adversaries could reverse engineer the now-public patches to determine what was updated and then create their own exploits.

Additional critical updates for other Microsoft products were also released today, including a local privilege escalation, CVE-2021-28310 that has been observed in use by the BITTER APT group.

As always, the Perch research team will keep an eye on this story as it develops and let you know when we have additional information.

- Bryson Medlock, the Dungeon Master

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28480

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28481),

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28482

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28483

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617

https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2021-patch-tuesday-fixes-108-flaws-5-zero-days/

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Marketo Auction Leak Site

Share this on:

Bryson Medlock

Bryson Medlock
on April 13, 2021

Recent Posts

Marketo Auction Leak Site

Marketo Auction Leak Site
Perch bulletin: Critical zero-day Microsoft Exchange vulnerability observed in the wild

Perch bulletin: Critical zero-day Microsoft Exchange vulnerability observed in the wild
CVE spotlight: CVE-2021-21972 (VMware vCenter Server RCE)

CVE spotlight: CVE-2021-21972 (VMware vCenter Server RCE)
Perchy Subscribe to our blog

© Perch Security 2022