Another round of Microsoft Exchange vulnerabilities
We warned you last week that more critical Exchange vulnerabilities were on the horizon and this week proves our words to be prophetic. Today is April 2021’s Patch Tuesday, the normal day of the month where Microsoft releases patches, which typically occurs on the 2nd Tuesday of each month.
All four of these new critical vulnerabilities lead to Remote Command Execution (RCE) – similar to the Proxylogon vulnerabilities we spent all of March dealing with – and two of them work for unauthenticated users.
Unlike Proxylogon, there is no evidence so far that anyone has exploited these vulnerabilities, which means that there’s still time to patch your systems before we start seeing bad guys dropping shells and ransomware everywhere.
The four vulnerabilities in question were reported to Microsoft by the NSA and there is no confirmation at this time whether or not these are related to the exploits used during last week’s Pwn2Own competition we mentioned in our last weekly threat report.
Microsoft does rate the complexity of the vulnerabilities as low and they mentioned in their FAQ that the mitigation techniques we previously discussed will not work to mitigate these new vulnerabilities. So far, the only and best recommendation is to patch your on-premises Exchange servers as quickly as possible. Though we have not seen anyone exploiting these vulnerabilities yet, industrious adversaries could reverse engineer the now-public patches to determine what was updated and then create their own exploits.
Additional critical updates for other Microsoft products were also released today, including a local privilege escalation, CVE-2021-28310 that has been observed in use by the BITTER APT group.
As always, the Perch research team will keep an eye on this story as it develops and let you know when we have additional information.
- Bryson Medlock, the Dungeon Master