New vulnerabilities announced by Microsoft in April may impact your clients. Here's what you need to know.
Last updated April 15, 2021
On Tuesday April 13, Microsoft released patches for four new vulnerabilities relating to Microsoft Exchange Server software. Note that while this is the same type of software involved in zero-day vulnerabilities announced in early March, those announced Tuesday are new and separate.
No exploits have yet been observed of the vulnerabilities, but their critical nature requires fast action. Similar to last month’s Exchange Server zero-days, an attacker could remotely gain considerable control within a victim’s exchange environment to execute ransomware, or drop difficult-to-identify web shells, or other malware, that can be later activated to launch an attack.
Any clients who use Microsoft Exchange software for traditional on-premises environments should apply the patches released this week as soon as possible (see Next Steps listed below). Having patched systems in response to last month’s vulnerability does not protect them from the current vulnerabilities.
👉 Note: Office 365 or “Exchange Online” environments are not affected and no action is required.
The vulnerabilities were discovered by the NSA, who informed Microsoft of their existence. While the timing of the release on Microsoft's traditional "patch Tuesday" might suggest that these updates are run-of-the-mill, the involvement of the NSA suggests an elevated level of importance. That is reflected in the high scores applied to the vulnerabilities, which range from 8.8 to 9.8 (critical). Accordingly, the U.S. CISA, which issued a directive to federal agencies last month in response to the first set of Exchange Server vulnerabilities, has issued a supplemental to its directive regarding the new set.
Quick facts: what you need to know now
- The software versions affected are Microsoft Exchange Server 2013, 2016, and 2019.
- These vulnerabilities are separate from those identified in March, and must be treated with the new patch issued by Microsoft this week.
- Exchange Server software is used for on-premise servers, meaning that Microsoft will not be able to force a software update across all of its customers, as the company occasionally has done with exploits to its cloud-based software services such as Office 365 or Exchange Online. This puts the onus of responsibility on customers themselves to recognize and patch their systems.
- Failure to patch software could result in a threat actor being able to: 1) access any data stored on the server impacted 2) gain remote access control over the server 3) exfiltrate (steal) data from the server 4) further move laterally within a target network to compromise additional resources
Next Steps for Microsoft Exchange Customers
- Work with your IT department to ensure the following Microsoft Exchange Server patches are installed (see tip below for more help):
- Install the following critical patches for the Windows Operating system. These are unrelated to the MS Exchange vulnerability but were released in the same batch of patches and are also a high priority if they are applicable.
- CVE-2021-27091 - RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
- CVE-2021-28312 - Windows NTFS Denial of Service Vulnerability
- CVE-2021-28437 - Windows Installer Information Disclosure Vulnerability - PolarBear
- CVE-2021-28458 - Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability
- Check back to this article for updates in the coming days. Tools and advice may evolve in response to attack activity and/or any further discoveries.
💡 Tip: A convenient tool was created in response to the March vulnerabilities to help organizations determine if they need to patch, if they have any issues with software configuration, and where to go for updates. This tool is still relevant and useful for this month's Exchange Server vulnerabilities. We encourage organizations to use it! Exchange Server HealthChecker
- [Article] NSA discovers critical Exchange Server vulnerabilities, patch now (Bleeping Computer)
- [Blog post] CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483: Four Critical Microsoft Exchange Server Vulnerabilities Patched in April Patch Tuesday (Tenable)
- [CISA Directive] Emergency Directive 21-02, Supplemental Direction v2 (Department of Homeland Security)