Microsoft releases emergency patches for Exchange Server RCE vulnerabilities exploited in the wild (Updated)

Microsoft has released emergency out-of-band security updates to fix multiple Critical vulnerabilities impacting Microsoft Exchange Server 2013, 2016 and 2019, collectively known as “ProxyLogon.” The tech giant also published interim mitigations if organizations can not patch immediately, as well as an IOC detection tool.

Microsoft previously issued a security update on March 2 warning the vulnerabilities have been exploited in “limited targeted attacks.”

“Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks,” Microsoft warned in the advisory on Tuesday.

Microsoft further added in a blog post that these Exchange vulnerabilities are used as part of an attack chain. Attackers will look to make untrusted connection to an Exchange server over port 443.

Moreover, Cybersecurity and Infrastructure Security (CISA) followed up with a new alert on March 4 with more details related to tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity.

In total, Microsoft patched the following four remote code execution (RCE) vulnerabilities collectively known as “ProxyLogon”:

Of special note, CISA explained in the alert that CVE-2021-26855 can “allow an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server.”

To add, the Exchange vulnerability basically exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF).

The remaining three vulnerabilities can all result in remote code execution and could be used in combination with CVE-2021-26855 to further exploit impacted systems.

The tech giant further recommended restricting untrusted connections or preventing external access to Exchange server unless using a VPN connection. However, the company still warned attackers could still trick administrators into running malicious files to gain access.

Interim mitigations

If organizations are unable to patch Exchange Server 2013, 2016 and 2019 immediately, they can implement interim mitigations. Microsoft said the mitigations are effective against attacks in the wild, but are not guaranteed to be completely effective against exploitation of these vulnerabilities.

Although patching is still highly recommended, organizations can implement an IIS Re-Write Rule (for CVE-2021-26855) and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services.

“This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole,” Microsoft explained in a blog post March 5.

However, Microsoft warned the mitigation could cause unknown impact and will not evict a bad actor who has already compromises an Exchange server. They added this intended as temporary in nature.

Microsoft IOC detection tool

Finally, Microsoft also released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the Exchange vulnerabilities. The PowerShell script automates all four of the commands found in the Hafnium blog post and helps make the CVE-2021-26855 test run much faster.

Update March 4, 2021: This article was updated to include new information from CISA and Microsoft related to the threat.

Update March 8, 2021: This articles was updated to include Microsoft alternative mitigation techniques if patches cannot be applied immediately, as well as a new Microsoft IOC detection tool.

Interim mitigations

Microsoft IOC detection tool

Related Articles