Security

Mitigation Instructions for CVE-2021-27065

Written by CyRisk Vulnerability Management Team | May 15, 2023 8:26:09 PM

SUBJECT: CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability (HAFNIUM Exploited)

TECH STACK: Microsoft Exchange Server_ Microsoft Windows Server_ Internet Information Services (IIS)_FastCGI (Fast Common Gateway Interface)_Network Infrastructure

DATE(S) ISSUED: 03/02/2021

NVD Last Modified: 07/12/2022

CRITICALITY: HIGH

OVERVIEW: 

CVE-2021-27065 is a significant security vulnerability affecting Microsoft Exchange Server. This vulnerability is a post-authentication arbitrary file write issue, which essentially means that if an attacker can authenticate with the Exchange server, they can use this vulnerability to write a file to any path on the server.

Authentication could be achieved either by exploiting another vulnerability, specifically the CVE-2021-26855 SSRF (Server Side Request Forgery) vulnerability, or by compromising a legitimate administrator's credentials. Once authenticated, the attacker can potentially execute arbitrary code, leading to a severe breach of the system's security.

THREAT INTELIGENCE:

The noteworthy point about this vulnerability is that it was exploited by a hacker group known as HAFNIUM. This group is reported to have used this vulnerability in targeted attacks against a variety of industry sectors, leading to substantial security breaches.

SOLUTION:

This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.

We recommend prioritizing installing updates on Exchange Servers that are externally facing.

REFERENCES:

Exploits and Advisories:

  1. Microsoft Exchange ProxyLogon Remote Code Execution - Third Party Advisory and VDB Entry
  2. Microsoft Exchange ProxyLogon Collector - Third Party Advisory and VDB Entry

Microsoft Security Guidance:

  1. Microsoft Security Advisory for CVE-2021-27065