Executive Summary
CVE-2021-26855, a critical server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, has emerged as a significant threat to organizations worldwide. This vulnerability allows unauthenticated attackers to send arbitrary HTTP requests and authenticate as the Exchange Server, leading to potential remote code execution and data exfiltration. The vulnerability is part of the ProxyLogon series, which has been widely exploited by various threat actors, including state-sponsored APT groups such as Hafnium from China. Immediate action is required to mitigate the risks associated with this vulnerability.
Technical Information
CVE-2021-26855 is a critical SSRF vulnerability in Microsoft Exchange Server. The vulnerability is identified by the CVE ID CVE-2021-26855 and has a CVSS score of 9.8, indicating its critical nature. The vulnerability arises from improper validation of user-supplied data in HTTP requests. An attacker can exploit this flaw by sending specially crafted HTTP requests to the Exchange Server, allowing them to execute arbitrary commands with SYSTEM privileges.
The affected software versions include Microsoft Exchange Server 2013 (Cumulative Update 23), Microsoft Exchange Server 2016 (Cumulative Update 18, 19), and Microsoft Exchange Server 2019 (Cumulative Update 7, 8). The vulnerability is classified under CWE-918 (Server-Side Request Forgery (SSRF)).
The exploitation of CVE-2021-26855 allows attackers to bypass authentication and impersonate administrative users. This can lead to remote code execution, data exfiltration, and the deployment of web shells for persistent access. The vulnerability has been actively exploited in the wild, with notable attacks attributed to the Hafnium APT group.
Several proof-of-concept (PoC) exploits have been published, demonstrating the exploitation of CVE-2021-26855. These include: - Packet Storm Security - Microsoft Exchange 2019 SSRF Arbitrary File Write - Packet Storm Security - Microsoft Exchange ProxyLogon Remote Code Execution - GitHub - ZephrFish/Exch-CVE-2021-26855
Exploitation in the Wild
CVE-2021-26855 has been actively exploited by various threat actors, including state-sponsored APT groups. The Hafnium group, believed to be state-sponsored and operating from China, has been identified as one of the primary actors exploiting this vulnerability. Attackers use this vulnerability to gain initial access to the Exchange Server, followed by the deployment of web shells for persistent access and further exploitation.
Indicators of Compromise (IoCs) related to this vulnerability include unusual HTTP requests to the Exchange Server, the presence of web shells, and unauthorized access to sensitive data. Organizations should monitor for these IoCs to detect potential exploitation.
APT Groups using this vulnerability
The Hafnium APT group, operating from China, has been identified as one of the primary actors exploiting CVE-2021-26855. This group targets sectors such as government, defense, and critical infrastructure. The exploitation techniques used by Hafnium include sending specially crafted HTTP requests to the Exchange Server to gain initial access, followed by the deployment of web shells for persistent access and further exploitation.
Affected Product Versions
The following versions of Microsoft Exchange Server are affected by CVE-2021-26855: - Microsoft Exchange Server 2013 (Cumulative Update 23) - Microsoft Exchange Server 2016 (Cumulative Update 18, 19) - Microsoft Exchange Server 2019 (Cumulative Update 7, 8)
Organizations using these versions should prioritize applying the necessary patches to mitigate the risk of exploitation.
Workaround and Mitigation
Microsoft has released patches to address CVE-2021-26855. It is crucial for organizations to apply these updates immediately to mitigate the risk of exploitation. The patch information can be found at the Microsoft Security Response Center - CVE-2021-26855.
In addition to applying patches, organizations should implement the following mitigation strategies: - Network Segmentation: Isolate Exchange Servers from the internet and restrict access to only necessary services. - Monitoring and Detection: Implement monitoring for unusual activity and potential indicators of compromise (IoCs) related to this vulnerability. - Incident Response: Prepare an incident response plan to quickly address any signs of exploitation.
References
For further information on CVE-2021-26855, please refer to the following resources: - National Vulnerability Database - CVE-2021-26855 - UpGuard - Critical Microsoft Exchange Flaw: What is CVE-2021-26855? - Tenable - Microsoft Exchange Server Zero-Day Vulnerabilities Exploited - CISA - Mitigate Microsoft Exchange Server Vulnerabilities
Rescana is here for you
At Rescana, we understand the critical importance of protecting your organization from emerging threats like CVE-2021-26855. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of potential vulnerabilities by providing real-time monitoring, threat intelligence, and comprehensive incident response capabilities. We are committed to helping you safeguard your digital assets and ensure the resilience of your IT infrastructure. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.
Comments