icetray - Fotolia

Exchange Server issues loom over March Patch Tuesday

For many organizations that rely on Exchange for reasons in addition to email, a move to a more secure messaging platform is not an option.

Microsoft released security updates for 82 unique vulnerabilities for March Patch Tuesday, including a browser zero-day, but the fallout from last week's Exchange Server zero-days continues to overshadow organizations affected by the exploits.

On March 2, Microsoft issued out-of-band patches for four zero-days (CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858) affecting Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. According to Microsoft, a threat actor dubbed Hafnium with ties to the Chinese government used these exploits to target a range of industries, including defense contractors and law firms. A Microsoft official explained how Hafnium used the exploits in a blog post.

"The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what's called a web shell to control the compromised server remotely. Third, it would use that remote access -- run from the U.S.-based private servers -- to steal data from an organization's network," wrote Tom Burt, corporate vice president of customer security & trust at Microsoft.

The same day, Microsoft added patches for three Exchange Server remote-code execution vulnerabilities (CVE-2021-26412, CVE-2021-26854 and CVE-2021-27078) the company said were not related to the Hafnium vulnerabilities.

Exchange presents an on-premises dilemma for many organizations

According to Chris Goettl, senior director of product management for security products at Ivanti, many organizations continue to use on-premises Exchange Server for several reasons, such as high cost and the operational effort required to switch cleanly while avoiding any disruptions with apps and equipment that depend on Exchange.

"This platform will continue to be easily targeted by threat actors because it's a complex server platform to upgrade," he said. "It's not a matter of if there will be another major Exchange exploit but a matter of when. Is it going to be six months, 12 months, 18 months? Another one will come and another one after that."

Chris Goettl, senior director of product management for security products at IvantiChris Goettl

Initially, customers with affected Exchange Server systems needed to update each to the latest cumulative update before they could apply the Hafnium patches, but on March 8 Microsoft released multiple security updates for older versions of Exchange 2016 and Exchange 2019. A blog from the Exchange Server team stipulated these patches were "intended only as a temporary measure to help you protect vulnerable machines right now" and these Exchange systems still require the latest cumulative updates.

Exchange Server 2010 is no longer supported, but Microsoft released a patch that corrects the CVE-2021-26857 zero-day vulnerability for this product. It doesn't happen often, but Microsoft will release patches for unsupported products if it determines the threat is serious enough. Security researcher Brian Krebs estimated the Hafnium exploits have been used to infiltrate more than 30,000 organizations in the U.S.

Hacks on Microsoft's on-premises messaging platform make life difficult for organizations still tethered to at least one Exchange Server solely for the need to run Azure Active Directory Connect to synchronize identities between Exchange Online and on-premises Active Directory. It's a problem that has vexed companies of all sizes without any official resolution in sight. It's possible to remove the hybrid Exchange setup and find another way to handle this Active Directory synchronization, but you lose Microsoft support in the process.

Steve Goodman, a principal technology strategist at information technology and services provider Content + Cloud, shared his frustration with the situation on Twitter after one Microsoft official chided organizations that continue to use on-premises Exchange.

"Because you can't remove the last #MSExchange Server if you are running Azure AD Connect. Microsoft have been promising to solve this for years. And some customers large & small have legitimate reasons. MS should own this & not question why their customers use software they sell," Goodman wrote.

In other situations, some enterprises have regulatory or compliance reasons that don't allow them to put email in the cloud, which requires them to stay with Exchange Server.

Microsoft released two tools to uncover use of the exploit and mitigate the issue for administrators who could not patch Exchange immediately. The presence of web shells, browser-based tools that give attacker a way to manipulate compromised systems over the internet, in Exchange means the patch is too late and the server will need to be rebuilt.

"This mitigation does not protect you long term. It's a triage to keep the patient alive long enough to get them into the emergency room," Goettl said.

Browser zero-day and Windows public disclosure highlight March Patch Tuesday

Of the 82 unique vulnerabilities for March Patch Tuesday, 10 were rated critical.

Microsoft corrected a critical zero-day memory corruption vulnerability (CVE-2021-26411) in Internet Explorer 11 and the HTML-based Microsoft Edge browsers running on supported Windows desktop and server systems.

The bug is actively exploited with a relatively high base CVSS score of 8.8 that requires the interaction of an authorized user to trigger the exploit by opening an email attachment or visiting a malicious website.

"The attacker can't automatically execute this, but they can socially engineer users to do it through specially crafted websites to convince users to click on the exploit," Goettl said.

CVE-2021-27077 is a publicly disclosed Windows Win32k elevation-of-privilege vulnerability rated important for supported Windows desktop and server systems that could be used in tandem with the browser zero-day to expand access to the system.

"This exploit wouldn't be your first line of attack as an attacker, but it is one of those things in your tool bag that you can take out to try to gain the elevated level of permissions to go to the next step of the attack," Goettl said.

Other noteworthy fixes for March Patch Tuesday

  • A critical DNS Server remote-code execution vulnerability (CVE-2021-26897) for supported Windows Server systems with the relatively high base CVSS score of 9.8. Microsoft noted that only a Windows Server system configured as a DNS server is vulnerable.
  • Two critical unsigned code execution vulnerabilities (CVE-2021-27074 and CVE-2021-27080) for the Azure Sphere IoT platform. Azure Sphere devices get patched automatically but disconnected devices should be put on a secure, private local network with internet access to get the patch.
  • An important SharePoint Server remote-code execution vulnerability (CVE-2021-27076) affecting SharePoint Foundation 2013, Business Productivity Servers 2010, SharePoint Server 2019 and SharePoint Enterprise Server 2016. Microsoft indicated an attacker would need existing privileges to create a SharePoint site required to launch the exploit.
  • Microsoft addressed 10 CVEs related to the HEVC video extension: CVE-2021-24089, CVE-2021-24110, CVE-2021-26902, CVE-2021-27047, CVE-2021-27048, CVE-2021-27049, CVE-2021-27050, CVE-2021-27051, CVE-2021-27061 and CVE-2021-27062. The Microsoft Store updates these extensions automatically, but it could be overlooked and left vulnerable in disconnected environments.

Administrators of developer environments will want to address an important information disclosure vulnerability (CVE-2021-27075) affecting the Azure Kubernetes Service, Azure Container Instances, Azure Spring Cloud and Azure Service Fabric to prevent a remote attacker with credentials from accessing sensitive information on the system.

Dig Deeper on IT operations and infrastructure management