Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0048.5 Critical Patches released for Microsoft Exchange Server 16 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Exchange Server Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-27078 CVE-2021-27065 CVE-2021-26858 CVE-2021-26857 CVE-2021-26855 CVE-2021-26854 CVE-2021-26412 Revision History: March 16 2021: Added AusCERT article providing latest updates and advice. March 9 2021: Microsoft have released a major revision increment of the CVEs, as well as released patches for some unsupported Exchange Servers version. March 4 2021: Name correction. March 4 2021: More information about mitigating and detecting exploitation HAFNIUM. March 3 2021: Initial Release. OVERVIEW Microsoft has released out-of-band critical updates to address a number of Microsoft Exchange Server Remote Code Execution Vulnerabilities. Microsoft have advised that Functional Exploit Code exists for a number of the vulnerabilities [3][4][5][8] AusCERT have published an article providing the latest updates and reinforcing the importance of implementing forensic analysis of all Exchange systems based on the latest published Indicators of Compromise. This is recommended for even systems that have been patched as the vulnerabilities were being exploited prior to the issue of patches. [15] IMPACT Microsoft has advised the following CVEs have undergone a major revision increment: * CVE-2021-26412 Remote Code Execution 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Critical [2] * CVE-2021-26855 Remote Code Execution 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Critical This has been revised by Microsoft as Critical [3] * CVE-2021-27065 Remote Code Execution 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H High This has been revised by Microsoft as Critical [4] * CVE-2021-26857 Remote Code Execution 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H High This has been revised by Microsoft as Critical [5] * CVE-2021-27078 Remote Code Execution 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Critical [6] * CVE-2021-26854 Remote Code Execution 6.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Medium [7] * CVE-2021-26858 Remote Code Execution 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H High This has been revised by Microsoft as Important [8] MITIGATION It is advised to update the software to the latest available version available on the Microsoft Update Catalog. [1]. Microsoft has confirmed official fixes exist for the vulnerabilities [2][3][4][5][6][7][8] Volexity[9], Krebs[10] and Arstechnica[11] are reporting about the exploitation of servers using the vulnerabilities noted in this advisory. =Update 2021-03-04= Yara[12] and Sigma[13] rules have been made available by Florian Roth based on Volexity blog[9]. Microsoft has also released information on detecting and mitigating attacks[14] by discovering suspicious archives in folders and webshell by name. =Update 2021-03-09= Microsoft is releasing security updates for vulnerabilities: - CVE-2021-27065, - CVE-2021-26855, - CVE-2021-26857, and - CVE-2021-26858 These are releases are for several Cumulative Updates that are out of support, including - Exchange Server 2019 CU 6, CU 5, and CU 4 and - Exchange Server 2016 CU 16, CU 15, and CU14. REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance [2] Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26412 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26412 [3] Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 [4] Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-27065 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065 [5] Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26857 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857 [6] Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-27078 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27078 [7] Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26854 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26854 [8] Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26858 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858 [9] Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ [10] Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails https://krebsonsecurity.com/2021/03/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails/ [11] Microsoft issues emergency patches for 4 exploited 0-days in Exchange https://arstechnica.com/information-technology/2021/03/microsoft-issues-emergency-patches-for-4-exploited-0days-in-exchange/ [12] Hafnium Yara Rules https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium.yar [13] Hafnium Sigma Rules https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_exchange_exploitation_hafnium.yml [14] HAFNIUM targeting Exchange Servers with 0-day exploits https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ [15] Patching for HAFNIUM is just half of the story https://www.auscert.org.au/blog/2021-03-16-patching-hafnium-just-half-story AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYFBAh+NLKJtyKPYoAQjofw/5AQ+LuOMJfhGpsEtY5FYeUj9BYSBGq+Ym t+WbEGb33MysRrGIsO77wyHEAhm8OsOHw6ogoZ/+MDfcufmrs2HeaSqpiCcJ1R7/ KV3YijNj4eoQUPUhsiF26eox+xB4pVEE9neMZxJSmPvCTmxISVZOq+bdso/l1T4e zbhTVKglu5p2fkISBwmuhzcuilQyvqxs+OKLr6E/1kWfrkTnsC7Gdi+9i4mUeZ5e nitHEoXASApkZ1mbhJa0Q1dNGUgpdJsC7W3/t0Z9b8d9NdICanFJFa/QGIKxLvPY JPUOyXluXtS2fDkoJ6YQDcZRYvKk5CYEqfYZtqosurPWACOE23Tm/s7sJ2N6YSa9 zkMqvWJYcT7ghLk2UQpXgIRh7DVBhZtWphdB43UkI9upkthkSEHhjBz0CQ4Wbszh YCcrnZxmHFvykchzScNq7sLxjScgyY4ilqVNTQ5KgtLoL82Ufe9umNmH/I+rZilZ bUb2VQXHSRNpgH6ZT9SPERyy+XVi7ZRqYxMu16KXPs6+n/bwPI64TadUNUUJOimM MaZuKRRS/olJVPkvRmSyM21Me0SQKW9gHuyimn9/4Z8uP4H8VPAQqqOAkDVUpQep fKsMvcQgbQ4GUe3zpW3I8J8TwvHU/txCRyahc0phSs6d5LVhJ+lUSnMWTv0+QH4A +MrXgsFpvJ4= =xYUm -----END PGP SIGNATURE-----