The U.S. National Security Agency (NSA) has reported four zero-day vulnerabilities identified in Microsoft Exchange Server versions 2013, 2016, and 2019 which are employed for on-premises Microsoft Exchange Servers. Quick patching is necessary as threat actors are likely to target the vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) has directed all federal institutions to apply patches to all vulnerable on-premises Exchange Servers on or before 12.01 AM of April 16, 2021 because of these high-risk vulnerabilities. During the time of launching the patches there were no identified cases of vulnerability exploitation in the wild, however, most likely now that the vulnerabilities were publicly known, the patches may be reverse-engineered and working exploits may be created.
All four vulnerabilities can result in remote implementation of arbitrary code and could permit threat actors to have complete control of unsecured Exchange Servers and also serious access and control of organization networks.
Unauthenticated attackers could exploit two vulnerabilities remotely without user interaction. The two vulnerabilities monitored as CVE-2021-28480 and CVE-2021-28481 were given a CVSS v3.1 score of 9.8 out of 10. The third vulnerability, tracked as CVE-2021-28483 was given a CVSS score of 9.0 out of 10, and the fourth vulnerability, CVE-2021-28482, has a CVSS rating of 8.8 out of 10.
In case it’s not possible to update any unsecured Microsoft Exchange Servers prior to the deadline, CISA has directed federal agencies to take out those servers from federal systems until the patches are applied. Management and/or technical controls must be implemented to make sure newly provisioned and earlier deactivated endpoints are up-to-date before linking them to agency systems. CIOs or equivalents must send a report to CISA on April 16, 2021 noon ET affirming that all vulnerable Exchange Servers were up-to-date or detached, and in case any cyber incidents get discovered, Indicators of Compromise should be sent to CISA.
Microsoft released patches to fix all four vulnerabilities on April 2021 Patch Tuesday, together with patches for another 15 critical vulnerabilities in its product collection and 88 vulnerabilities that were regarded as important. There is one zero-day vulnerability that was patched – CVE-2021-28310, which is a Win32K elevation of privilege vulnerability. Kaspersky thinks that at least one threat group is actively exploiting this vulnerability in the wild. When combined with browser exploits, attackers could evade sandboxes and obtain system privileges for more access. Exploitation could permit the remote implementation of arbitrary code, the development of new accounts having complete privileges, information sharing and damage, and the capability to set up new applications.