On April 13th, 2021 Microsoft announced that four Critical Remote Code Execution vulnerabilities had been discovered in Microsoft Exchange Server 2013, 2016 and 2019:
• CVE-2021-28480
• CVE-2021-28481
• CVE-2021-28482
• CVE-2021-28483
CVE-2021-28480 and CVE-2021-28481 are pre-authentication vulnerabilities in Microsoft Exchange Server, which means that an attacker does not need to authenticate to the vulnerable Exchange Server in order to exploit the vulnerability. All the attacker needs to do is perform reconnaissance against their intended targets and then send specially crafted requests to the vulnerable Exchange Server. CVE-2021-28482 and CVE-2021-28483 are post-authentication vulnerabilities in Microsoft Exchange Server. Unlike CVE-2021-28480 and CVE-2021-28481, these are only exploitable once an attacker has authenticated to a vulnerable Exchange Server. However, these vulnerabilities could be chained together with a pre-authentication Exchange Server vulnerability to bypass that requirement.
• The following updates to address the vulnerabilities are available for these specific builds of Exchange Server:
• Exchange Server 2013 CU23
• Exchange Server 2016 CU19 and CU20
• Exchange Server 2019 CU8 and CU9
• There are currently no reported active exploits in the wild
• Exchange Online (i.e. O365) is not affected
Additional details:
• https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/
• https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617
• https://www.tenable.com/blog/cve-2021-28480-cve-2021-28481-cve-2021-28482-cve-2021-28483-four-critical-microsoft-exchange
• Apply the patches and updates available from Microsoft immediately after appropriate testing. There are two recommended methods for updates made by Microsoft:
• You can go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your trarget CU. Then click the “Tell me the steps” button, to get directions for your environment.
• Use the Exchange Server Health Checker script, which can be downloaded from Github (use the latest release), to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).
With today’s update, Microsoft has fixed 108 vulnerabilities, with 19 classified as Critical and 89 as Important. These numbers do not include the 6 Chromium Edge vulnerabilities released earlier this month. We suggest applying patches to all workstations and servers to remediate a number of CVE that are being actively exploited in the wild.
Borin Larin of Kaspersky Lab discovered this vulnerability being actively used for exploitation and suspects that it is tied to the BITTER APT group. Larin and co-authors have released a detailed technical write-up on this vulnerability that impacts the Desktop Window Manager.
This publicly disclosed denial of service impacts the Windows NTFS file system. Newer versions of Windows 10 as well as Windows Server 2019 and Server version 20H2 are impacted. This appears to be the same vulnerability detailed by BleepingComputer back in January. While an unpatched system will output, “The file or directory is corrupted and unreadable.” when executing the proof of concept, a patched system will output, “The directory name is invalid.”
A publicly disclosed information disclosure in the Windows Installer could allow attackers to read from the file system. Based on the Microsoft security guidance, all versions of Windows from Windows 7 to Windows 10 and their associated server platforms are vulnerable.
The final publicly disclosed vuln this month is found in @azure/ms-rest-nodeauth, a node-js library for Azure authentication. The fix for this vulnerability was committed on March 23, 2021 and can be reviewed on github.
This publicly disclosed privilege elevation vulnerability in the RPC Endpoint Mapper Service only affects older operating systems with patches available for Windows 7, Windows Server 2008 R2, and Windows Server 2012.
Kerberos KDC Security Feature Bypass Vulnerability [CVE-2020-17049]
Microsoft has released version 5 of this security guidance as the default settings have now changed. It is now assumed that all domain controllers have the December update installed. Additionally, the PerformTicketSignature registry key can no longer be set to 0, which previously disabled Kerberos Service Ticket Signatures, leaving domains unprotected. Now, if you set PerformTicketSignature to 0, it will act the same as if it were set to 1.
The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities
• CVE-2018-13379
• CVE-2020-12812
• CVE-2019-5591
APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple governments, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks.
Google Chrome & Microsoft Edge
Google has fixed a high-severity vulnerability in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the flaw. The vulnerability is one of 47 security fixes that the tech giant rolled out on Tuesday in Chrome 89.0.4389.72, including patches for eight high-severity flaws.
However, Version versions Google Chrome 89.0.4389.114 and Microsoft Edge 89.0.774.76, which are the latest versions in the Stable channel are still vulnerable. The RCE rated as critical has a working (PoC) exploit for a remote code execution vulnerability for the V8 JavaScript engine in Chromium-based browsers.
Google is expected to release Chrome 90 to the Stable channel to fix this zero-day RCE vulnerability. Microsoft Edge will also follow the same upgrade schedule.
Firefox
Mozilla described it as a “buffer overflow in-depth pitch calculations for compressed textures.” The issue, reported by researchers only impacts Firefox running on Windows — other operating systems are not affected. Security Vulnerabilities fixed in Firefox 85.0.1 and Firefox ESR 78.7.1
Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to raheel.qureshi@isecurityconuslting.com or kees.pouw@isecurityconsulting.com and we will add you to our distribution list.
We will also provide updates to organizations we are servicing through our Incident Response Retainer.
Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.
Please go ahead and share this with your peers.
For any other questions or concerns, please feel free to reach out to info@isecurityconsulting.com.
Best Regards,
The iSecurity Team
