On Tuesday March 2, 2021 around 5:30 PM ET Suite3 was made aware of several zero-day vulnerabilities affecting Microsoft Exchange Server versions 2013, 2016, and 2019. Microsoft released security patches just a few hours prior to this news becoming public and Suite3 being aware.
Suite3 immediately enacted our Incident Response Plan and started the process for patch implementation and remediation. Suite3 began contacting all customers whose environments were potentially susceptible for these vulnerabilities.
Update: 03/03/2021 4:45 PM ET – All Suite3 customer servers have been remediated and customers have been contacted.
All servers were verified or upgraded to be running the newest Exchange Cumulative Update and KB5000871 has been applied.
The four vulnerabilities present in Microsoft Exchange Server 2013, 2016, and 2019 are as follows:
- CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.