Getty Images

NSA Finds, Urges Patch of 4 New Critical Microsoft Exchange Flaws

Microsoft issued patches for four new on-prem Exchange Server vulnerabilities, found by NSA. Combined with the previous zero-day flaws, prioritization will be crucial.

Microsoft disclosed and issued patches for four newly detected vulnerabilities found in on-prem Microsoft Exchange Servers version 2016 and 2019. The Department of Homeland Security is urging all federal agencies and private sector entities to prioritize the software update.

NSA found and disclosed the vulnerabilities to the Microsoft team. The flaws have been assigned as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483.

For all four flaws, “the vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed, up to and including the entire internet.”

These remote code execution flaws are exploitable at the protocol level, “one or more network hops away, e.g. across one or more routers.” The possible attacks would require low-level skills with no required system privileges or user interaction to exploit.

According to the DHS Cybersecurity and Infrastructure Security Agency alert, an attacker could exploit these vulnerabilities to gain access and maintain persistence on victims’ networks.

CISA provided an emergency directive for federal agencies requiring the prioritization of patching the Exchange Servers. However, officials stressed that private sector entities would find the resource helpful for mitigating the critical risk.

“We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats,” Microsoft researchers explained.

“Customers using Exchange Online are already protected and do not need to take any action,” they added.

The software update does not apply to the previously disclosed zero-day flaws, which have been under active attack from advanced persistent threat (APT) groups for a number of months. 

The flaws included a server-side-request forgery (SSF) that would enable an attacker to gain remote access to the victim’s network, or even allow a threat actor to access network data. Researchers previously observers actors using the flaws to write webshells to disk, dump credentials, and even steal copies of the Active Directory.

The flaws have been a key focus for the tech giant and CISA for more than a month, with the teams sharing multiple tools to mitigate and detect the flaws. While the majority of vulnerable servers have been patched, tens of thousands of these servers remain vulnerable to attack.

Combined with the latest vulnerability disclosures, it’s imperative for all entities using on-prem Exchange Servers to prioritize securing the tech from attack -- particularly as Microsoft noted that exploitation of these flaws is more than likely.

Microsoft provided guidance on how to successfully mitigate the risk posed by the latest flaws, including a tool to inventory servers and find whether the platforms are behind on security updates.

The CISA directive tells administrators to deploy the updates and apply or maintain technical and or management controls to ensure that the newly provisioned or previously disconnected endpoints are updated before reconnecting to the enterprise network.

Notably, leveraging the tools previously released by Microsoft to mitigate the latest round of vulnerabilities will not fix the newly disclosed flaws.

“Security is a journey that evolves with changes in the threat landscape,” Microsoft researchers wrote. 

“We remain committed with our partners in the security community to build resiliency as a global community through regular updates and security best practices such as our Zero Trust approach, layered defense in depth, and assume breach philosophy, which are all proven to reduce the impact of an attack. We encourage others to do the same,” they concluded.

As threat actors continue to scan and exploit endpoint vulnerabilities, such as the Accellion incident, it’s crucial for providers to quickly move to mitigate these security gaps to prevent falling victim. As seen with the SolarWinds supply chain attack, attacks are becoming stealthier and harder to detect.

Next Steps

Dig Deeper on Cybersecurity strategies