1 min read

Mitigation Instructions for CVE-2021-26857

Mitigation Instructions for CVE-2021-26857

SUBJECT: Microsoft Exchange Server Remote Code Execution Vulnerability

TECH STACK: MICROSOFT EXCHANGE SERVER

DATE(S) ISSUED: MARCH 16, 2021

Criticality: Critical

OVERVIEW:

CVE-2021-26857 is a recently disclosed vulnerability in the Microsoft Exchange Server that could allow an attacker to execute arbitrary code remotely. This vulnerability affects Exchange Server 2013, 2016, and 2019.
The vulnerability exists due to improper validation of user-supplied data by the Exchange Server. An attacker could send a specially crafted request to the server, which could lead to the execution of arbitrary code in the context of the system user.
If exploited, the vulnerability could allow an attacker to take full control of the affected system, including stealing data, installing malware, or conducting other malicious activities.

THREAT INTELLIGENCE:

This vulnerability is being actively exploited in the wild by APT group Ryuk.

SOLUTION:

Install the latest security updates: Microsoft has released security updates that address the CVE-2021-26857 vulnerability. It is recommended that affected systems are updated as soon as possible to prevent exploitation.

Check for indicators of compromise: Microsoft has released tools and guidance to help identify potential indicators of compromise on affected systems. It is recommended to follow these guidelines and check for any signs of malicious activity.

Monitor for suspicious activity: It is recommended to monitor the network for any suspicious activity that may indicate an attempt to exploit the vulnerability.

Review Exchange logs: Review the Exchange Server logs to determine if the system has been compromised. Specifically, look for any suspicious activity related to the ECP application pool.

Implement additional security controls: It is recommended to implement additional security controls to help prevent exploitation of the vulnerability. For example, implementing multi-factor authentication, disabling legacy authentication protocols, and configuring network segmentation.

It is important to note that these are just mitigation instructions and do not address the underlying vulnerability. Affected systems should be patched as soon as possible to fully remediate the issue. Additionally, it is recommended to follow best practices for securing Exchange Server and regularly review security policies and configurations to help prevent future vulnerabilities.

REFERENCES:
msrc.microsoft.com:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

Mitigation Instructions for CVE-2016-4437

Mitigation Instructions for CVE-2016-4437

Mitigating CVE-2016-4437: Remote Code Execution Vulnerability in Apache ActiveMQ

Read More
Mitigation Instructions for CVE-2013-1896

Mitigation Instructions for CVE-2013-1896

Mitigating CVE-2013-1896: Privilege Escalation Vulnerability in Puppet

Read More
Mitigation Instructions for CVE-2014-6271 Shellshock Vulnerability in Bash

Mitigation Instructions for CVE-2014-6271 Shellshock Vulnerability in Bash

Subject: Mitigating CVE-2014-6271: Shellshock Vulnerability in Bash

Read More