update from our previous post – Microsoft vulnerability - Remote Code Execution (CVE-2021-40444)
Summary
On 21/11, two weeks after the patch for CVE-2021-42321 was released in MS Patch Tuesday, open-source reporting disclosed that a proof-of-concept exploit for this Exchange vulnerability has been published. Whilst Microsoft describes seeing limited targeted attacks in the wild when publishing the updates to patch this vulnerability, Our Service Provider are already seeing reports of an increase in attempts by attackers to scan for and attempt to exploit this vulnerability now that a PoC has been released. This continues the trend of threat actors exploiting Exchange vulnerabilities and chaining exploits to conduct malicious activity on networks.
Vulnerable versions:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Recommendation(s):
If you haven’t already done so, you are strongly advised to apply the latest Microsoft November 21 patches to bring your systems up-to-date.
These updates are available for the following specific builds of Exchange Server:
You are also advised to ensure that you have a full inventory of youe Exchange infrastructure and run the following script to check for compromise of each server (from BleepingComputer):
Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “BinaryFormatter.Deserialize” }
Think of updating Exchange server in several stages:
- Take inventory: use the Exchange Server Health Checker script on GitHub to see if you are behind on your on-premises Exchange Server updates.
- Install updates: visit https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU. Then click the “Tell me the steps” button, to get a list of steps to follow.
- Troubleshoot (if needed): follow the ExchangeUpdateWizard
Questions:
If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk