24/11/2021

Microsoft Vulnerability - Remote Code Execution (CVE-2021-42321) 

update from our previous post – Microsoft vulnerability - Remote Code Execution (CVE-2021-40444)

Summary 

On 21/11, two weeks after the patch for CVE-2021-42321 was released in MS Patch Tuesday, open-source reporting disclosed that a proof-of-concept exploit for this Exchange vulnerability has been published. Whilst Microsoft describes seeing limited targeted attacks in the wild when publishing the updates to patch this vulnerability, Our Service Provider are already seeing reports of an increase in attempts by attackers to scan for and attempt to exploit this vulnerability now that a PoC has been released. This continues the trend of threat actors exploiting Exchange vulnerabilities and chaining exploits to conduct malicious activity on networks.

Vulnerable versions: 

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019 

Recommendation(s): 

If you haven’t already done so, you are strongly advised to apply the latest Microsoft November 21 patches to bring your systems up-to-date. 

These updates are available for the following specific builds of Exchange Server: 

You are also advised to ensure that you have a full inventory of youe Exchange infrastructure and run the following script to check for compromise of each server (from BleepingComputer):

Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “BinaryFormatter.Deserialize” }

Think of updating Exchange server in several stages:

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners