icetray - Fotolia

May Patch Tuesday brings more bad news for Exchange admins

Microsoft releases four fixes for the email server product, which remains firmly in the sights of threat actors seeking new ways to exploit the system.

Exchange Server continues to draw unwanted attention from attackers as Microsoft released four fixes, including one that had been publicly disclosed, for the messaging platform on May Patch Tuesday.

Microsoft addressed 55 unique vulnerabilities for its software products with four rated critical this month. In total, three bugs were publicly disclosed before this month's patches were released.

Multiple Exchange Server patches released

For the third month in a row, fixes for multiple Exchange vulnerabilities continue to roll out from Microsoft. Trouble for the on-premises email and calendaring product started in early March when Microsoft shipped seven fixes, including four zero-days developed by the so-called Hafnium group, to thwart exploit attempts on approximately 400,000 susceptible Exchange Server systems. For April Patch Tuesday, Microsoft worked with the National Security Agency to shut down four critical remote-code execution vulnerabilities in Exchange. And, as expected, Exchange vulnerabilities revealed at the 2021 Pwn2Own hacking contest were finally addressed by the May Patch Tuesday security updates.

The four Exchange Server vulnerabilities (CVE-2021-31195, CVE-2021-31198, CVE-2021-31207, CVE-2021-31209) affect all supported versions of the messaging platform. Microsoft's Knowledge Base article KB5003435 and a blog from the Microsoft Exchange team detailed several potential issues administrators might face while urging a rapid patch deployment.

"Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment," the blog said.

Microsoft's notes in its Security Update Guide for (CVE-2021-31207 and CVE-2021-31209) indicate the two vulnerabilities stemmed from the 2021 Pwn2Own contest held in early April. It was not clear if the May Patch Tuesday security updates addressed all the vulnerabilities uncovered at the hacking event.

The publicly disclosed vulnerability (CVE-2021-31207) is a security feature bypass vulnerability rated moderate and with an assessment of "Exploitation Less Likely." This combination of factors might downplay the severity of the threat for some admins when a prompt patch rollout should be in order, according to one security expert.  

Chris GoettlChris Goettl

"For threat actors that take advantage of Exchange vulnerabilities, complexity really isn't a barrier for them. This is not going to slow them down," said Chris Goettl, senior director of product management for security products at Ivanti. "Once the vulnerability gets disclosed, they're going to look to capitalize on the exhaustion of Exchange admins after having several months of these Exchange updates."

Goettl said the attention on Exchange over the last several months is enough reason to expedite patches for the email server product, which is notoriously difficult to update. There are still many Exchange deployments running in data centers worldwide that cannot migrate to the cloud for several factors, including limited budgets or dependencies on a legacy technology.

"Exchange was always a step up in complexity compared to most updates, but organizations still running an on-prem Exchange typically do so because of even more complexities, such as some type of a forwarding or other integrations or plugins that they have to run that aren't supported outside of Exchange," Goettl said.

Other public disclosures addressed by May Patch Tuesday

The two remaining publicly disclosed vulnerabilities were not under active exploit, according to Microsoft.

A .NET and Visual Studio elevation-of-privilege vulnerability (CVE-2021-31204) is rated important and would require interaction from an authorized user to trigger the exploit, which would then allow the threat actor to elevate their permissions. This flaw affects Visual Studio 2019 for Windows and macOS, and .NET 5.0 and .NET Core 3.1.

"To fix the issue, please install the latest version of .NET 5.0 or .NET Core 3.1. If you have installed one or more .NET Core SDKs [software development kits] through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET Core SDKs," a Microsoft official wrote on the .NET GitHub site.

The other public disclosure, a common utilities remote-code execution vulnerability (CVE-2021-31200) rated important, is related to an open-source Python-based toolkit used to automate different machine learning technologies. Users must download the latest copy of the toolkit to remove the threat. 

Other security updates of note for May Patch Tuesday

  • An HTTP protocol stack remote-code execution vulnerability (CVE-2021-31166) rated critical affects Windows 10 and Server Core version 20H2 and 2004 in Windows Server. This flaw has a severity rating of 9.8 out of 10, and Microsoft urges administrators to patch this "wormable" bug promptly. An unauthenticated attack would only need to send a specially crafted packet to a vulnerable server with the potential to spread quickly to other unpatched systems.
  • A Microsoft SharePoint Server remote-code execution vulnerability (CVE-2021-28474) rated important could let an authenticated threat actor build a site and run code within a SharePoint Server, which could lead to further attacks across the network.

Dig Deeper on Windows Server OS and management

Cloud Computing
Enterprise Desktop
Virtual Desktop
Close