Microsoft Patches 4 More Exchange FlawsPatch Tuesday Update: These Vulnerabilities Not Yet Exploited in Wild
Microsoft issued patches Tuesday for four more vulnerabilities in on-premises versions of the Exchange Server corporate email platform, one of which is a zero-day flaw.
These latest patches come after Microsoft in March patched four critical flaws in Exchange Server that had been widely exploited by attackers.
Microsoft said a China-based group it calls Hafnium had exploited those flaws to gain persistent access to email systems, but researchers said several criminal groups had exploited the flaws.
Commenting on the latest Exchange patches, Satnam Narang, staff research engineer at the security firm Tenable, says: "While none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have yet to update their systems should do so as soon as possible."
The on-premises Exchange Server-related vulnerabilities fixed this month are the zero-day tracked as CVE-2021-31207 along with CVE-2021-31198, CVE-2021-31209 and CVE-2021-31195. Attackers are not exploiting these vulnerabilities in the wild, Microsoft says.
CVE-2021-31207, which Microsoft rates as a moderate vulnerability, is a security feature bypass that is considered unlikely to be exploited, Microsoft says.
Chris Goettl, senior director of security at Ivanti, notes that despite its moderate rating, patching CVE-2021-31207 should be considered a priority because of the very public demonstration of the exploit made during the recent Pwn2Own contest when it was disclosed. "At this point, threat actors will be able to take advantage of the vulnerability if they have not already begun attempting to reverse-engineer and exploit," he says.
The remaining Exchange issues are all rated "important," with CVE-2021-31198 and CVE-2021-31195 leading to remote code execution if exploited, while CVE-2021-31209 could allow a device to be spoofed.
Tyler Reguly, manager of security research and development at the security firm Tripwire, says there's a good chance additional on-premises Exchange Server vulnerabilities will be discovered.
"Exchange is an interesting target as you have multiple vectors, including network connectivity, email processing and any tools that have been added to scan for sensitive information or process attachments," Reguly says. "With a large user base, a large attack surface and a long history of code - Exchange just turned 25 last month - it seems likely that it will be a popular target until researchers have exhausted their options.”
Additional Zero-Days Patched
On Patch Tuesday, Microsoft released 55 security updates, with four rated as critical.
Cybersecurity watchers singled out two other newly disclosed vulnerabilities; CVE-2021-31204, a privilege vulnerability in .NET and Visual Studio, and CVE-2021-31200, a remote code execution issue in Common Utilities.
"This code execution vulnerability [CVE-2021-31200] is found in Neural Network Intelligence, an open-source tool for managing AutoML experiments. Since it is an open-source project, you can see the code change that was made to resolve this vulnerability," Reguly says. "It is interesting to note that the fixed code was committed on Dec 21, 2020, but it did not make a Patch Tuesday release until May."
Critical Vulnerabilities to Patch
Tenable's Narang says administrators should pay close attention to CVE-2021-31166, a remote code execution vulnerability in the HTTP Protocol Stack. Microsoft rates this vulnerability as "exploitation more likely" on the company's Exploitability Index.
The flaw takes some effort to exploit. An attacker would need to target a vulnerable server using the HTTP Protocol Stack with a packet containing the exploit code, Narang says, adding that this vulnerability is wormable, meaning it can self-replicate on its own without human intervention in much the same way WannaCry was able to replicate itself.
Trend Micro's Zero Day Initiative notes that with a rating of CVSS 9.9, the remote code execution vulnerability CVE-2021-28476 in Hyper-V holds the highest severity rating of all patched security issues this month. But Microsoft believes an attacker is more likely to utilize this flaw to launch a distributed denial-of-service attack in the form of a bug check rather than to run code.
"Because of this, it could be argued that the attack complexity would be high, which changes the CVSS rating to 8.5," Trend Micro says. "That still rates as high severity, but not critical. Still, the bugcheck alone is worth making sure your Hyper-V systems get this update."
The other two critical issues are the remote code execution flaws CVE-2021-26419 in Windows Server 8.1 and 7 for 32- and 64-bit systems and CVE-2021-31194 in various versions of Windows Server 2012, 2008 and RT.