In March this year, Microsoft detected multiple zero-day vulnerabilities that were exploited by cyber espionage groups, such as Hafnium, to attack on-premises Microsoft Exchange servers, especially Exchange 2013, 2016, and 2019. The threat groups exploited these vulnerabilities to gain access to the on-premises Exchange servers to deploy web shells. These web shells allow them to steal the data and install malware on the compromised server. The four zero-day vulnerabilities that are being exploited by the Hafnium group were CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065.
In this guide, we’ll explain these vulnerabilities in detail and the ways to check and fix vulnerabilities in the Exchange server.
Microsoft Exchange Server Vulnerabilities
Microsoft provided details to help understand the techniques used by the attackers to exploit these vulnerabilities. Here are the details:
- CVE-2021-26855: This vulnerability is related to server side request forgery (SSRF). It allows the threat groups to send random HTTP requests to make an untrusted connection. To protect against this, you can restrict the untrusted connections or set up VPN to separate your Exchange server from outside access. If your Exchange server is externally facing, it is recommended to install the latest available updates.
- CVE-2021-26857: This is an insecure deserialization vulnerability in the MS Exchange server’s Unified Messaging Service. This allows the attackers to deploy an arbitrary code on the Exchange server as SYSTEM. However, it works when the attacker has administrator permissions, i.e. the stolen credentials, or exploited another vulnerability. To fix this, you can restrict the untrusted connections and install the latest security updates on your Exchange server.
- CVE-2021-26858: This is post-authentication random file write vulnerability. By exploiting this vulnerability, the attackers can write a file to any path on the Exchange server. They can authenticate by exploiting the SSRF vulnerability or using the stolen admin credentials. You need to install security updates released by Microsoft to patch this vulnerability.
- CVE-2021-27065: This vulnerability also allows the attackers write a file to any path on the Exchanger server by using the compromised administrator credentials. To protect your Exchange server, apply the latest security patches released by Microsoft.
How to Check if your MS Exchange Server is Vulnerable?
Microsoft released Exchange Server Health Checker PowerShell script that has proven extremely helpful for Exchange Administrators to check if their Exchange server is vulnerable. This script also allows them to check performance and configuration problems, along with information about the need of Cumulative Updates (CU) or Security Updates (SU).
Here are the steps:
Step 1: Download Health Checker Script
Download the latest release of HealthChecker.ps1 PowerShell script from Github, if you’re using Exchange server 2019, 2016, or 2013. If you are using Exchange 2010, download V2 release on the server.
Step 2: Run Health Checker Script
You can run the Health Checker script via Exchange Management Shell (EMS). Follow these steps:
- Open EMS on your server.
- Go to the folder where HealthChecker.ps1 PowerShell script is downloaded.
- Enter the command: .\HealthChecker.ps1.
- This will execute the script in default mode on local server.
- If you want to run the script for a specific Exchange server, execute the command: .\HealthChecker.ps1 -Server EXCHSRV1.
- You can see the list of all security vulnerabilities that you need to patch. Apply the latest updates released by Microsoft.
Step 3: Run Exchange On-Premises Mitigation Tool
Microsoft has released Exchange On-Premises Mitigation Tool (EOMT) – a one click mitigation tool – for clients who have not installed the security updates on their on-premises Exchange server. It helps mitigate the CVE-2021 26855 vulnerability. Here are the steps to run the EOMT:
- Download the EOMT tool.
- Extract the folder at the desired location.
- Open the Exchange Management Shell and go to the location where you’ve extracted the folder.
- To check if your Exchange server is vulnerable, run the script: .\EOMT.ps1. It downloads and installs the IIS URL rewrite tool.
- Then, it downloads and runs the MSERT (Microsoft Security Scanner) in quick scan mode. It removes web shells and threats from the Exchange server.
How to Protect your Exchange Server?
You need to install the below-given latest Exchange server updates released by Microsoft.
1. March 2021 Security Updates: You can download the March 2021 Exchange Server Security Update from here to keep your server secure.
2. April 2021 Security Updates: Microsoft released patches and cumulative updates in April this year to cover 114 common vulnerabilities. You can install these updates to protect your Exchange server from attacks and other security threats. These CUs are:
- Exchange Server 2019 CU8 and CU9
- Exchange Server 2016 CU19 and CU20
- Exchange Server 2013 CU23
3. May 2021 Security Updates: These recent updates released by Microsoft help you to patch 55 vulnerabilities, including the three zero-day vulnerabilities – CVE-2021-31207, CVE-2021-31200, and CVE-2021-31204 that were exploited by the Hafnium group.
Conclusion
Hafnium and other threat groups have exploited the Exchange server vulnerabilities to steal data and install malware. The four zero-day vulnerabilities are discussed in detail above. To fix such vulnerabilities, you need to install the latest security updates released by Microsoft.
In case your Exchange server has been compromised or attacked by such threat groups, resulting in server crash or inaccessible database, you can use an Exchange recovery software such as Stellar Repair for Exchange to recover mailboxes. The software can recover mailboxes from offline or dismounted database and export them to a live Exchange server. If you want to migrate large Exchange EDB files to PST, then you can try Stellar Converter for EDB.