Mitigation Instructions for CVE-2016-4437
Mitigating CVE-2016-4437: Remote Code Execution Vulnerability in Apache ActiveMQ
SUBJECT: CVE-2021-26855 - Microsoft Exchange Server Remote Code Execution Vulnerability
TECH STACK: Microsoft Exchange Server
DATE(S) ISSUED: 03/16/2021
CRITICALITY: HIGH
OVERVIEW:
In the attacks CVE-2012-1823 was observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
NIST Description: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
https://nvd.nist.gov/vuln/detail/CVE-2021-26855
THREAT INTELLIGENCE:
CISA has added CVE-2021-26855 to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
SOLUTION:
This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
It is a recommended priority to install updates on Exchange Servers that are externally facing.
Here are the steps to update PHP on a Unix-based system (such as Linux or macOS):
Install an Exchange CU using the Setup wizard
- Download the latest version of Exchange on the target computer. For more information, see Updates for Exchange Server.
- In File Explorer, right-click on the Exchange CU ISO image file that you downloaded, and then select Mount. In the resulting virtual DVD drive that appears, start Exchange Setup by double-clicking Setup.exe.
- Connect to the Internet and check for updates: We recommend this option, which searches for updates to the version of Exchange that you're currently installing (it doesn't detect newer CUs). This option takes you to the Downloading Updates page that searches for updates. Click Next to continue.
- The Exchange Server Setup wizard opens. On the Check for Updates? page, choose one of the following options, and then click Next to continue:
- Select "Don't check for updates right now"
- Select "Don't check for updates right now"
5. The Copying Files page shows the progress of copying files to the local hard drive. Typically, the files are copied to %WinDir%\Temp\ExchangeSetup, but you can confirm the location in the Exchange Setup log at C:\ExchangeSetupLogs\ExchangeSetup.log.- The Upgrade page shows that Setup detected the existing installation of Exchange, so you're upgrading Exchange on the server (not installing a new Exchange server). Click Next to continue.
- On the License Agreement page, review the software license terms, select I accept the terms in the license agreement, and then click Next to continue.
- On the Readiness Checks page, verify that the prerequisite checks completed successfully. If they haven't, the only option on the page is Retry, so you need to resolve the errors before you can continue.
- After you resolve the errors, click Retry to run the prerequisite checks again. You can fix some errors without exiting Setup, while the fix for other errors requires you to restart the computer. If you restart the computer, you need to start over at Step 1.
When no more errors are detected on the Readiness Checks page, the Retry button changes to Install so you can continue. Be sure to review any warnings, and then click Install to install Exchange. - On the Setup Progress page, a progress bar indicates how the installation is proceeding.
- On the Setup Completed page, click Finish, and then restart the computer.
REFERENCES:
Microsoft:KB5000871
URL: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b
https://msrc.microsoft.com/blog/2021/03/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Mitigation Instructions for CVE-2013-1896
Mitigating CVE-2013-1896: Privilege Escalation Vulnerability in Puppet
Mitigation Instructions for CVE-2014-6271 Shellshock Vulnerability in Bash
Subject: Mitigating CVE-2014-6271: Shellshock Vulnerability in Bash