icetray - Fotolia

Exchange Server bugs continue to bite on April Patch Tuesday

Microsoft resolves 110 vulnerabilities, including a zero-day and four public disclosures, but the company says admins should prioritize four critical bugs on Exchange Server.

Exchange administrators still reeling from last month's flurry of fixes won't get much rest after Microsoft delivered four more fixes for the messaging platform on April Patch Tuesday.

Microsoft released patches for four critical remote-code execution vulnerabilities (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483) for Exchange Server that were discovered through a joint effort with the National Security Agency and the Microsoft security team. Last month, Microsoft released out-of-band patches to correct four zero-days for Exchange.

Microsoft resolved 110 total unique vulnerabilities, including one zero-day and four publicly disclosed vulnerabilities, with 19 rated critical for April Patch Tuesday.

Exchange Server continues to draw attention

An April 13 blog by the Microsoft Security Response Center emphasized that customers should update systems to the latest software versions and use automatic updates to patch systems as fixes become available. The blog said organizations should prioritize the Exchange Server fixes.

"We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats," the blog said, adding that Exchange Online customers are not affected.

Chris Goettl, senior director of product management for security products at IvantiChris Goettl

Chris Goettl, senior director of product management for security products at Ivanti, said a recent Pwn2Own event uncovered more Exchange vulnerabilities not addressed by April Patch Tuesday, which will most likely result in more out-of-band patches for the beleaguered on-premises messaging platform.

"Exchange is a target right now. Analysts and threat actors alike are going to be swarming around it," Goettl said. "Take this [Patch Tuesday] seriously even though the exploits were unproven at this point, but they were all confirmed and resolved by Microsoft."

How do you solve a problem like on-premises Exchange Server?

A March 25 blog from the Microsoft 365 Defender Threat Intelligence Team said the number of Exchange Server deployments vulnerable to attacks based on exploits from the threat actor group dubbed Hafnium diminished significantly, with 92% of vulnerable deployments patched. Earlier reports indicated approximately 400,000 Exchange Server systems were susceptible to attacks based on four vulnerabilities (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857 and CVE-2021-27065) before Microsoft issued out-of-band patches for these bugs on March 2.

Microsoft undertook several other actions to support customers running affected Exchange Server systems, such as releasing threat detection utilities to help organizations determine if they had been exploited and a "one-click" mitigation tool to assist administrators who were unable to apply the security updates quickly. The company also updated Microsoft Defender Antivirus to include Exchange Server mitigation capabilities and server scanning functionality.

The blog stressed the importance of the least-privilege principle to make it more difficult for an intruder to cause more damage after a breach.

"Given configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection, as the account can be used to elevate privileges later."

The blog also shared ways to improve security to prevent a future breach from causing widespread damage.

"It's important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement," the blog said.

Many organizations that use Exchange Online in Office 365 for hosted email need an on-premises Exchange Server to synchronize passwords from Active Directory and to handle some email-related functions. The requirement to keep this hybrid arrangement leaves organizations in jeopardy whenever a new vulnerability for Exchange arrives.

"There is this dependency on a lot of legacy platforms. If Exchange is still running, oftentimes it's providing a critical role and sensitive data is flowing through it. It's going to have a higher level of privileges than your average server workload," Goettl said. "A lot of companies are still struggling with this. It's not an easy or low-cost solution to get away from."

Microsoft addresses zero-day and four public disclosures

The zero-day vulnerability is a Win32k elevation of privilege flaw (CVE-2021-28310) rated important for Windows 10, Windows Server 2019 and later Windows Server versions. This vulnerability was detected as early as March 12, which could mean attackers have been using the exploit for as long as a month in phishing campaigns to gain access to a system, Goettl said.

"One of the challenges of this vulnerability is it was only rated as important, so companies that only do vendor critical flaws first could have missed this. But the good news is it's part of the OS cumulative update this month," he said.

The first public disclosure vulnerability is an RPC Endpoint Mapper Service elevation of privilege bug (CVE-2021-27091) rated important that affects Windows 7, Windows Server 2008 R2 and Windows Server 2012 systems. Microsoft's information in this CVE indicates proof-of-concept code exists, which could allow an attacker to finish the development to produce a working exploit.

The second public disclosure, a Windows Installer information disclosure vulnerability (CVE-2021-28437) rated important for supported Windows client and server systems. This type of bug is typically used for reconnaissance to extract information to gain further system access, Goettl said.

CVE-2021-28312 is the third public disclosure, a Windows NTFS denial-of-service vulnerability, rated moderate for Windows 10, Windows Server 2019 and later Windows Server versions.

"This vulnerability has the lowest CVSS score out of these five disclosures, including the zero-day, but the researcher who discovered it had functioning exploit code, so this one should be treated with a higher response than a moderate would entail," Goettl said.

The final public disclosure is an elevation-of-privilege vulnerability (CVE-2021-28458) rated important that affects the Azure ms-rest-nodeauth authentication library used with services on Microsoft's cloud platform.

Other security updates of note for April Patch Tuesday

  • Administrators in developer-based environments will want to address the multiple exploits for Visual Studio Code (CVE-2021-28448, CVE-2021-28457, CVE-2021-28469, CVE-2021-28470, CVE-2021-28471, CVE-2021-28472, CVE-2021-28473, CVE-2021-28475, CVE-2021-28477) all rated important.
  • IT teams that manage Azure DevOps Server have two vulnerabilities (CVE-2021-28459 and CVE-2021-27067) rated important to address for that product.

Dig Deeper on Microsoft messaging and collaboration

Cloud Computing
Enterprise Desktop
Virtual Desktop