The National Security Agency (NSA) informed Microsoft about four critical vulnerabilities that could be exploited by attackers to compromise Microsoft Exchange Servers remotely. The vulnerabilities CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 are present in 2013, 2016, and 2019 versions of the Exchange Server. If exploited successfully, the vulnerabilities could allow threat actors to perform remote code execution on targeted systems.
However, Microsoft clarified that there is no evidence of hackers exploiting the vulnerabilities reported by the NSA. Besides, Microsoft released security patches for the bugs to avoid any risks.
“Cybersecurity is national security. Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors. Don’t allow them to exploit this vulnerability on your system,” Rob Joyce, NSA’s Director of Cybersecurity, said in a media statement.
Microsoft Releases Security Patches
Cybersecurity hygiene and patch management have become an important aspect for organizations after a series of attacks on Microsoft Exchange Servers. In its April 2021 Patch Tuesday, Microsoft released security fixes for 108 vulnerabilities, with 19 classified as Critical and 89 as important. There are also five zero-day vulnerabilities patched in this update along with the four critical vulnerabilities discovered by the NSA.
“Customers who installed the March 2021 security updates for supported CUs can install the April 2021 security updates and be protected against the vulnerabilities that were disclosed during both months. If you are installing an update manually, do not double-click on the .msp file, but instead run the install from an elevated CMD prompt,” Microsoft said.
The four vulnerabilities that were publicly exposed but not exploited include:
CVE-2021-27091 – RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
CVE-2021-28312 – Windows NTFS Denial of Service Vulnerability
CVE-2021-28437 – Windows Installer Information Disclosure Vulnerability – PolarBear
CVE-2021-28458 – Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability
The Win32k Elevation of Privilege vulnerability CVE-2021-28310, discovered by Kaspersky researcher Boris Larin, was found exploited in the wild by the BITTER APT group.
“We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities,” Kaspersky said.
CISA’s Deadline to Patch Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) recently ordered federal agencies to install the newly released Microsoft Exchange security updates by April 16, 2021. The agency stated that threat actors might reverse engineer the updates to create working exploits due to their severity and public disclosure.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require immediate and emergency action. “This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information,” CISA said.