-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2021.0048.5
          Critical Patches released for Microsoft Exchange Server
                               16 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Microsoft Exchange Server
Operating System: Windows
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-27078 CVE-2021-27065 CVE-2021-26858
                  CVE-2021-26857 CVE-2021-26855 CVE-2021-26854
                  CVE-2021-26412  

Revision History: March 16 2021: Added AusCERT article providing latest updates and advice.
                  March  9 2021: Microsoft have released a major revision increment of the 
				 CVEs, as well as released patches for some unsupported 
				 Exchange Servers version.
                  March  4 2021: Name correction.
                  March  4 2021: More information about mitigating and detecting exploitation HAFNIUM.
                  March  3 2021: Initial Release.

OVERVIEW

        Microsoft has released out-of-band critical updates to address a number 
        of Microsoft Exchange Server Remote Code Execution Vulnerabilities.
        
        Microsoft have advised that Functional Exploit Code exists for a number 
        of the vulnerabilities [3][4][5][8]
        
        AusCERT have published an article providing the latest updates and 
        reinforcing the importance of implementing forensic analysis of all 
        Exchange systems based on the latest published Indicators of 
        Compromise. This is recommended for even systems that have been patched
        as the vulnerabilities were being exploited prior to the issue of 
        patches. [15]


IMPACT

        Microsoft has advised the following CVEs have undergone a major 
        revision increment:
        
        * CVE-2021-26412   Remote Code Execution    
          9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H   Critical
          [2]
        
        * CVE-2021-26855    Remote Code Execution   
          9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N   Critical
          This has been revised by Microsoft as              Critical
          [3]
        
        * CVE-2021-27065   Remote Code Execution     
          7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H   High
          This has been revised by Microsoft as              Critical
          [4]
        
        * CVE-2021-26857   Remote Code Execution   
          7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H   High
          This has been revised by Microsoft as              Critical
          [5]
        
        * CVE-2021-27078   Remote Code Execution   
          9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H   Critical 
          [6]
        
        * CVE-2021-26854   Remote Code Execution   
          6.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H   Medium
          [7]
        
        * CVE-2021-26858   Remote Code Execution    
          7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H   High
          This has been revised by Microsoft as              Important
          [8]


MITIGATION

        It is advised to update the software to the latest available version 
        available on the Microsoft Update Catalog. [1].
        
        Microsoft has confirmed official fixes exist for the 
        vulnerabilities [2][3][4][5][6][7][8]
        
        Volexity[9], Krebs[10] and Arstechnica[11] are reporting about the 
        exploitation of servers using the vulnerabilities noted in this advisory.
        
        =Update 2021-03-04=
        
         Yara[12] and Sigma[13] rules have been made available by Florian Roth 
         based on Volexity blog[9].
        
         Microsoft has also released information on detecting and mitigating 
         attacks[14] by discovering suspicious archives in folders and 
         webshell by name.
        
        =Update 2021-03-09=
        
         Microsoft is releasing security updates for vulnerabilities:
          - CVE-2021-27065, 
          - CVE-2021-26855, 
          - CVE-2021-26857, and 
          - CVE-2021-26858 
         These are releases are for several Cumulative Updates that are 
         out of support, including 
          - Exchange Server 2019 CU 6, CU 5, and CU 4 and 
          - Exchange Server 2016 CU 16, CU 15, and CU14. 
         


REFERENCES

        [1] Microsoft Security Update Guidance
            https://portal.msrc.microsoft.com/en-us/security-guidance

        [2] Microsoft Exchange Server Remote Code Execution Vulnerability
            CVE-2021-26412
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26412

        [3] Microsoft Exchange Server Remote Code Execution Vulnerability
            CVE-2021-26855
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

        [4] Microsoft Exchange Server Remote Code Execution Vulnerability
            CVE-2021-27065
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

        [5] Microsoft Exchange Server Remote Code Execution Vulnerability
            CVE-2021-26857
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

        [6] Microsoft Exchange Server Remote Code Execution Vulnerability
            CVE-2021-27078
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27078

        [7] Microsoft Exchange Server Remote Code Execution Vulnerability
            CVE-2021-26854
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26854

        [8] Microsoft Exchange Server Remote Code Execution Vulnerability
            CVE-2021-26858
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

        [9] Operation Exchange Marauder: Active Exploitation of Multiple
            Zero-Day Microsoft Exchange Vulnerabilities
            https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

        [10] Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to
             Plunder Emails
             https://krebsonsecurity.com/2021/03/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails/

        [11] Microsoft issues emergency patches for 4 exploited 0-days in
             Exchange
             https://arstechnica.com/information-technology/2021/03/microsoft-issues-emergency-patches-for-4-exploited-0days-in-exchange/

        [12] Hafnium Yara Rules
             https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium.yar

        [13] Hafnium Sigma Rules
             https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_exchange_exploitation_hafnium.yml

        [14] HAFNIUM targeting Exchange Servers with 0-day exploits
             https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

        [15] Patching for HAFNIUM is just half of the story
             https://www.auscert.org.au/blog/2021-03-16-patching-hafnium-just-half-story

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYFBAh+NLKJtyKPYoAQjofw/5AQ+LuOMJfhGpsEtY5FYeUj9BYSBGq+Ym
t+WbEGb33MysRrGIsO77wyHEAhm8OsOHw6ogoZ/+MDfcufmrs2HeaSqpiCcJ1R7/
KV3YijNj4eoQUPUhsiF26eox+xB4pVEE9neMZxJSmPvCTmxISVZOq+bdso/l1T4e
zbhTVKglu5p2fkISBwmuhzcuilQyvqxs+OKLr6E/1kWfrkTnsC7Gdi+9i4mUeZ5e
nitHEoXASApkZ1mbhJa0Q1dNGUgpdJsC7W3/t0Z9b8d9NdICanFJFa/QGIKxLvPY
JPUOyXluXtS2fDkoJ6YQDcZRYvKk5CYEqfYZtqosurPWACOE23Tm/s7sJ2N6YSa9
zkMqvWJYcT7ghLk2UQpXgIRh7DVBhZtWphdB43UkI9upkthkSEHhjBz0CQ4Wbszh
YCcrnZxmHFvykchzScNq7sLxjScgyY4ilqVNTQ5KgtLoL82Ufe9umNmH/I+rZilZ
bUb2VQXHSRNpgH6ZT9SPERyy+XVi7ZRqYxMu16KXPs6+n/bwPI64TadUNUUJOimM
MaZuKRRS/olJVPkvRmSyM21Me0SQKW9gHuyimn9/4Z8uP4H8VPAQqqOAkDVUpQep
fKsMvcQgbQ4GUe3zpW3I8J8TwvHU/txCRyahc0phSs6d5LVhJ+lUSnMWTv0+QH4A
+MrXgsFpvJ4=
=xYUm
-----END PGP SIGNATURE-----