1 min read

Mitigation Instructions for CVE-2021-27065

Mitigation Instructions for CVE-2021-27065

SUBJECT: CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability (HAFNIUM Exploited)

TECH STACK: Microsoft Exchange Server_ Microsoft Windows Server_ Internet Information Services (IIS)_FastCGI (Fast Common Gateway Interface)_Network Infrastructure

DATE(S) ISSUED: 03/02/2021

NVD Last Modified: 07/12/2022

CRITICALITY: HIGH

OVERVIEW: 

CVE-2021-27065 is a significant security vulnerability affecting Microsoft Exchange Server. This vulnerability is a post-authentication arbitrary file write issue, which essentially means that if an attacker can authenticate with the Exchange server, they can use this vulnerability to write a file to any path on the server.

Authentication could be achieved either by exploiting another vulnerability, specifically the CVE-2021-26855 SSRF (Server Side Request Forgery) vulnerability, or by compromising a legitimate administrator's credentials. Once authenticated, the attacker can potentially execute arbitrary code, leading to a severe breach of the system's security.

THREAT INTELIGENCE:

The noteworthy point about this vulnerability is that it was exploited by a hacker group known as HAFNIUM. This group is reported to have used this vulnerability in targeted attacks against a variety of industry sectors, leading to substantial security breaches.

SOLUTION:

This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.

We recommend prioritizing installing updates on Exchange Servers that are externally facing.

REFERENCES:

Exploits and Advisories:

  1. Microsoft Exchange ProxyLogon Remote Code Execution - Third Party Advisory and VDB Entry
  2. Microsoft Exchange ProxyLogon Collector - Third Party Advisory and VDB Entry

Microsoft Security Guidance:

  1. Microsoft Security Advisory for CVE-2021-27065
     
Mitigation Instructions for CVE-2016-4437

Mitigation Instructions for CVE-2016-4437

Mitigating CVE-2016-4437: Remote Code Execution Vulnerability in Apache ActiveMQ

Read More
Mitigation Instructions for CVE-2013-1896

Mitigation Instructions for CVE-2013-1896

Mitigating CVE-2013-1896: Privilege Escalation Vulnerability in Puppet

Read More
Mitigation Instructions for CVE-2014-6271 Shellshock Vulnerability in Bash

Mitigation Instructions for CVE-2014-6271 Shellshock Vulnerability in Bash

Subject: Mitigating CVE-2014-6271: Shellshock Vulnerability in Bash

Read More