{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-063.pdf"
    },
    "title": "RCE Vulnerability in Microsoft Exchange Server",
    "serial_number": "2021-063",
    "publish_date": "10-11-2021 14:03:00",
    "description": "On November 9, Microsoft released Exchange Server Security Updates fixing several vulnerabilities, one of which identified as \"CVE-2021-42321\" has a CVSS3.1 score of 8.8 out of 10. This is a post-authentication vulnerability that could allow an attacker to execute remote code on Exchange 2016 and 2019.<br>This vulnerability affects on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.<br>Microsoft is aware of limited targeted attacks by using this vulnerability. CERT-EU recommendation is to install these updates immediately.",
    "url_title": "2021-063",
    "content_markdown": "---\ntitle: 'RCE Vulnerability in\u00a0Microsoft\u00a0Exchange\u00a0Server'\nversion: '1.0'\nnumber: '2021-063'\ndate: 'November 10, 2021'\n---\n\n_History:_\n\n* _10/11/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn November 9, Microsoft released Exchange Server Security Updates fixing several vulnerabilities [1], one of which identified as `CVE-2021-42321` has a CVSS3.1 score of 8.8 out of 10 [2]. This is a post-authentication vulnerability that could allow an attacker to execute remote code on Exchange 2016 and 2019.\n\nThis vulnerability affects on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.\n\nMicrosoft is aware of limited targeted attacks by using this vulnerability. CERT-EU recommendation is to install these updates immediately [2].\n\n# Technical Details\n\nThere is not much detail available about the vulnerability `CVE-2021-42321`[2]. According to Redmond's security advisory, it is caused by improper validation of `cmdlet` arguments. However, attackers must be authenticated.\n\n# Affected Products\n\n* Microsoft Exchange Server 2019\n* Microsoft Exchange Server 2016\n\nTo be exploitable, Microsoft Exchange Servers have to be _on-premise_ versions of Microsoft Exchange Server, including servers used in Exchange Hybrid mode. Microsoft Exchange Online is not affected by these flaws.\n\n# Recommendations\n\nApplying the updates released on November 9 to Exchange servers [2] is currently the only mitigation for this vulnerability:\n\n* Exchange Server 2016 CU21 and CU22\n* Exchange Server 2019 CU10 and CU11\n\nIn order to see if an exploit was attempted, run the following PowerShell query on your Exchange server to check for specific events in the Event Log:\n\n```\nGet-EventLog -LogName Application -Source \"MSExchange Common\" -EntryType Error | Where-Object { $_.Message -like \"*BinaryFormatter.Deserialize*\" }\n```\n\n# References\n\n[1] <https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>\n\n[2] <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>10/11/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On November 9, Microsoft released Exchange Server Security Updates fixing several vulnerabilities [1], one of which identified as <code>CVE-2021-42321</code> has a CVSS3.1 score of 8.8 out of 10 [2]. This is a post-authentication vulnerability that could allow an attacker to execute remote code on Exchange 2016 and 2019.</p><p>This vulnerability affects on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.</p><p>Microsoft is aware of limited targeted attacks by using this vulnerability. CERT-EU recommendation is to install these updates immediately [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>There is not much detail available about the vulnerability <code>CVE-2021-42321</code>[2]. According to Redmond's security advisory, it is caused by improper validation of <code>cmdlet</code> arguments. However, attackers must be authenticated.</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>Microsoft Exchange Server 2019</li><li>Microsoft Exchange Server 2016</li></ul><p>To be exploitable, Microsoft Exchange Servers have to be <em>on-premise</em> versions of Microsoft Exchange Server, including servers used in Exchange Hybrid mode. Microsoft Exchange Online is not affected by these flaws.</p><h2 id=\"recommendations\">Recommendations</h2><p>Applying the updates released on November 9 to Exchange servers [2] is currently the only mitigation for this vulnerability:</p><ul><li>Exchange Server 2016 CU21 and CU22</li><li>Exchange Server 2019 CU10 and CU11</li></ul><p>In order to see if an exploit was attempted, run the following PowerShell query on your Exchange server to check for specific events in the Event Log:</p><pre><code>Get-EventLog -LogName Application -Source \"MSExchange Common\" -EntryType Error | Where-Object { $_.Message -like \"*BinaryFormatter.Deserialize*\" }\n</code></pre><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169\">https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321\">https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}