Rewterz Threat Alert – Operation Exchange Marauder: Active Exploitation of Multiple Zero-Days
March 3, 2021Rewterz Threat Advisory – CVE-2021-21978 – VMware View Planner remote code execution vulnerability
March 3, 2021Rewterz Threat Alert – Operation Exchange Marauder: Active Exploitation of Multiple Zero-Days
March 3, 2021Rewterz Threat Advisory – CVE-2021-21978 – VMware View Planner remote code execution vulnerability
March 3, 2021Severity
High
Analysis Summary
Microsoft has released four emergency patches for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks. Undisclosed vulnerabilities are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.
Attack Analysis
The vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
- CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Exchange Server
- CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service
- CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange
- CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange
Impact
Data theft
Affected Vendors
Microsoft
Affected Products
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Remediation
Microsoft recommends users to prioritize installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated.