Exchange Server admins advised to patch vulnerable machines after POC exploit released for high-severity bug

POC exploit released for high-severity Exchange Server bug

Image:
POC exploit released for high-severity Exchange Server bug

Microsoft has described the flaw as having a high impact on data integrity, confidentiality and availability

A security researcher has published a proof-of-concept (PoC) exploit code for a high severity vulnerability in Exchange servers that was patched by Microsoft earlier this month.

The security flaw indexed as CVE-2021-42321 impacts Exchange Server 2016 and Exchange Server 2019 and could enable an authenticated attacker to run code remotely on vulnerable machines.

The vulnerability is a post-authentication flaw that only affects on-premises Exchange servers, including those used by customers in Exchange Hybrid mode.

In its advisory published earlier this month, Microsoft described the flaw as having a high impact on data integrity, confidentiality and availability. The company said the vulnerability requires no user interaction and has seen "limited targeted attacks" in the wild.

On Sunday, almost two weeks after Microsoft patched the flaw, a security researcher who goes by the moniker ' Janggggg' published a PoC exploit code for the vulnerability.

"As many ppl requested, here is the PoC of CVE-2021-42321, Exchange Post-Auth RCE," the researcher tweeted.

"This PoC [will] just pop mspaint.exe on the target, [and] can be use[d] to recognize the signature pattern of a successful attack event."

The exploit code has been published on GitHub site, and according to ' Janggggg' it can't directly be used to run arbitrary code. However, the researcher provided a link to a tool that he says will help people to generate their own shellcode that can be embedded into the exploit to instruct it to run arbitrary commands.

This PoC should further serve as a reminder for lazy admins to patch their vulnerable machines without further delay.

Microsoft warned this month that cyber actors were actively targeting CVE-2021-42321 in efforts to install malware on vulnerable systems and spy on corporate emails.

"Our recommendation is to install these updates immediately to protect your environment," the company said.

Microsoft Exchange team also shared a PowerShell query that admins can use to see if an exploit attempt was made on their servers. Admins can also use the Exchange Server Health Checker script to generate a list of all vulnerable servers in the network that need to be patched against CVE-2021-42321.

On-premises Exchange server bugs have become a major issue of concern for Microsoft in 2021.

In March, Microsoft released out-of-band security updates to address four zero-day bugs that were actively exploited by hackers to compromise Exchange Server.

Microsoft attributed the attacks to a newly identified state-sponsored threat actor, which they called Hafnium. It said Hafnium was a highly sophisticated actor, with its members thought to be based in China.

Security researcher Brian Krebs claimed that at least 30,000 organisations across the United States had been compromised through these vulnerabilities.

In August, security researchers warned that threat actors were scanning the internet for Exchange Server instances that had not been patched for the ProxyShell vulnerability.

ProxyShell is a set of three security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) which, when used together, could enable a threat actor to perform unauthenticated, remote code execution (RCE) on unpatched Microsoft Exchange servers.

Microsoft quietly patched CVE-2021-34473 and CVE-2021-34523 in April with its KB5001779 cumulative update, while CVE-2021-31207 was patched about a month later.