Microsoft patches Exchange Server bug exploited in the wild
This flaw only affects on-premises Exchange server instances
Microsoft has patched a high severity bug in Exchange Server 2016 and 2019, which could allow authenticated attackers to run code remotely on vulnerable machines.
The vulnerability, indexed as CVE-2021-42321, is a post-authentication flaw that only affects on-premises Exchange servers, including those used by customers in Exchange Hybrid mode.
It is caused by improper validation of command-let (cmdlet) arguments and has seen "limited targeted attacks" in the wild, according to Microsoft.
The flaw is not very complex and requires no user interaction. Microsoft described it as having a high impact on data integrity, confidentiality and availability.
"Our recommendation is to install these updates immediately to protect your environment," the Redmond-based company wrote in a blog post.
However, to install the updates, customers must first be running Exchange Server 2016 CU21 or CU22, or Exchange Server 2019 CU10 or CU11.
Exchange Online customers are protected and don't need to take any further action.
Microsoft Exchange team has also shared a PowerShell query that Exchange admins can use to see if an exploit attempt was made on their servers.
"In order to exploit this flaw, an attacker would need to be authenticated, which limits some of the impact," said Satnam Narang, staff research engineer at Tenable.
On-premises Exchange server bugs have become a major issue of concern for Microsoft in 2021.
In March, Microsoft released out-of-band security updates to address four zero-day bugs that were being actively exploited by hackers to compromise Exchange Server.
Microsoft attributed the attacks to a newly identified state-sponsored threat actor, which they called Hafnium. It said Hafnium was a highly sophisticated actor, with its members thought to be based in China.
The attacks on Exchange Servers by Hafnium were carried out in three steps. First, it used zero-day bugs or stolen passwords to gain access to an Exchange Server. Then it created a web shell to control the compromised server remotely, and finally, it used the remote access to exfiltrate sensitive data from compromised machines.
Security researcher Brian Krebs claimed that at least 30,000 organisations across the United States had been compromised through these vulnerabilities.
Cyber security firm ESET said that it had evidence suggesting that at least 10 hacker groups were exploiting bugs in Microsoft Exchange Server to infiltrate computer systems across the globe.
In August, security researchers warned that threat actors were scanning the internet for Exchange Server instances that had not been patched for the ProxyShell vulnerability.
ProxyShell is a set of three security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) which, when used together, could enable a threat actor to perform unauthenticated, remote code execution (RCE) on unpatched Microsoft Exchange servers.
Microsoft quietly patched CVE-2021-34473 and CVE-2021-34523 in April with its KB5001779 cumulative update, while CVE-2021-31207 was patched about a month later.