Four new zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 have been discovered by the U.S. National Security Agency (NSA).
These versions of Microsoft Exchange Server must be patched as soon as possible to avoid the possibility of the vulnerabilities being targeted by cybercriminals.
A directive has already been released by the Cybersecurity and Infrastructure Security Agency (CISA) for all federal bodies to patch all vulnerable on-premises Exchange Servers no later than 12.01 AM on Friday April 16, 2021 due to the high risk of the weaknesses being targeted. To date there has been no evidence of the vulnerability being successfully exploited in the wild. However, there remains the chance that any infiltrated body has yet to make such a breach been public.
By targeting the vulnerabilities hackers could potentially complete remote execution of arbitrary code in order to take management of vulnerable Exchange Servers as well as persistent access and control of enterprise networks.
Two of the flaws can be exploited remotely by unauthenticated individuals with no user interaction necessary. Both of those flaws, tracked as CVE-2021-28480 and CVE-2021-28481, have been given a CVSS v3.1 rating of 9.8 out of 10. The third flaw, CVE-2021-28483 has been assigned a CVSS rating of 9.0 out of 10, and the fourth, CVE-2021-28482, a rating of 8.8 out of 10.
Should any susceptible Microsoft Exchange Servers remain unpatched prior to the Friday deadline, CISA has instructed federal agencies to remove those servers from federal networks until such time as the patches have been carried out. Technical and/or management controls must be configured to ensure newly provisioned and previously disconnected endpoints are patched before connecting them to agency networks. CIOs or equivalents are required to file a report to CISA by Noon ET on Friday confirming that all vulnerable Exchange Servers have been patched or disconnected, and should any cyber incidents be discovered, Indicators of Compromise must be made known to CISA.
Patches to address all four flaws were made available by Microsoft on April 2021 Patch Tuesday, along with patches for an additional 15 critical flaws across its product suite and 88 flaws that were rated important. One zero-day vulnerability has been patched – a Win32K elevation of privilege vulnerability: CVE-2021-28310 – which Kaspersky is of the belief that it is being actively exploited in the wild by a minimum of one threat group.
Along with browser exploits, hackers can escape sandboxes and obtain system management permissions for more access. Exploitation would permit the remote execution of arbitrary code, the creation of new accounts with full privileges, information disclosure and destruction, and the ability to download new software.