Critical Vulnerability in Microsoft Exchange Server
History:
- 20/10/2021 --- v1.0 -- Initial publication
Summary
On October 12, Microsoft released in the monthly Patch Tuesday a new batch of patches fixing several vulnerabilities, one of which could lead to remote code execution on certain versions of Microsoft Exchange servers [1]. The vulnerability, identified as CVE-2021-26427, has a CVSS3 score of 9 out of 10 and could allow an attacker to execute remote code on on-premise exchange servers [2]. According to Microsoft, the attack vector for this vulnerability is adjacent, which means that the attacker needs to be in the same local network as the server to be able to exploit it.
No active exploitation of this vulnerability is known yet.
Technical Details
There is not much detail available about how the vulnerability CVE-2021-26427 could be exploited. Microsoft stated that the CVE-2021-26427 is only exploitable from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, and it requires basic user privileges [2].
Affected Products
- Microsoft Exchange Server 2019 Cumulative Update 10
- Microsoft Exchange Server 2016 Cumulative Update 21
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 11
- Microsoft Exchange Server 2016 Cumulative Update 22
To be exploitable, Microsoft Exchange Servers have to be on-premise versions of Microsoft Exchange Server. Microsoft Exchange Online is not affected by these flaws.
Recommendations
Applying the update released on October 12 to Exchange servers [2] is currently the only mitigation for this vulnerability.
References
[1] https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/October-2021.html
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26427
[3] https://isc.sans.edu/forums/diary/Microsoft+October+2021+Patch+Tuesday/27928/