Advisory No: TZCERT/SA/2021/03/04
Date of First Release: 04th March 2021
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
The four Microsoft Exchange vulnerabilities are part of an attack chain that may cause an unauthenticated attacker to execute arbitrary code remotely. These vulnerabilities are Server-Side Request Forgery (SSRF) (CVE-2021-26855), insecure deserialization (CVE-2021-26857), and arbitrary file write (CVE-2021-26858 and CVE-2021-27065).
SSRF vulnerability could be exploited by sending a specially crafted HTTP request to a vulnerable Exchange Server that may result to a remote code execution by an unauthenticated remote attacker.
Insecure deserialization vulnerability exists in the Exchange Unified Messaging Service which handles voice mail functionality. To exploit this vulnerability an attacker would need to be authenticated to the vulnerable Exchange Server with administrator privileges or could use another vulnerability first to gain access.
Arbitrary file write vulnerability is also a post-authentication, meaning an attacker will need administrative privileges before exploiting the system. An attacker could use SSRF vulnerability to gain administrative privileges to the system. Once access gained, an attacker could arbitrarily write to any paths on the vulnerable server.
Successful exploitation of these vulnerabilities could allow an attacker to gain access to the Exchange server system.
Microsoft has issued security updates to address the affected products. Users and administrators are advised to apply necessary updates on Exchange Servers.