Exploits & Vulnerabilities
March Patch Tuesday: Fixes for Exchange Server, IE
This month’s Patch Tuesday includes fixes already released for the Microsoft Exchange Server zero-day flaws attributed to Hafnium attacks.
This month’s Patch Tuesday features close to a hundred fixes, almost doubling last month’s total. The list includes patches already released for the Microsoft Exchange Server zero-day flaws attributed to Hafnium attacks.
Out of 89 patches released, 14 were rated Critical while the rest were deemed Important. Most of the critical vulnerabilities involve remote code execution (RCE) link except for an information disclosure bug. Fifteen of these were reported by the Zero Day Initiative (ZDI).
Microsoft Exchange Server Vulnerabilities
This month's bulletins include coverage for Exchange Server vulnerabilities, fixes for which were released ahead of Patch Tuesday last week. The Cybersecurity and Infrastructure Security Agency (CISA) has also strongly urged all affected organizations to patch their systems immediately.
Here are the details of these vulnerabilities as shared in Microsoft’s report:
- CVE-2021-26855 (Critical) – A Server Side Request Forgery (SSRF) flaw allowing attackers to send HTTP requests to a domain and authenticate as the Exchange server.
- CVE-2021-26857 (Critical) – An unsecure deserialization vulnerability in the Exchange Unified Messaging Service where untrusted data is deserialized by a program, allowing attackers to run arbitrary code. This flaw can only run with admin permission or another vulnerability.
- CVE-2021-27065 (Critical) – A post-authentication arbitrary file write vulnerability allowing attackers to write a file to any path on a server. Authentication can be performed by abusing CVE-2021-26855 or legitimate admin credentials.
- CVE-2021-26858 (Important) – A post-authentication arbitrary file write vulnerability allowing attackers to write a file to any path on a server. Authentication can be performed by abusing CVE-2021-26855 or legitimate admin credentials.
We share more details on this attack in a recent post.
Launching initial attacks through these vulnerabilities requires building an untrusted connection through Exchange server port 443; thus, partial mitigations for those who can’t patch yet include restricting untrusted access to the said port. However, mitigations will not provide complete protection, and patching is still highly advised.
The flaws affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Microsoft also released security updates applicable to some older and unsupported Cumulative Updates.
Patches for other Microsoft Server Exchange RCE flaws, CVE-2021-26412, CVE-2021-26854, and CVE-2021-27078, have also been released.
Internet Explorer Flaw
CVE-2021-26411 (Internet Explorer Memory Corruption Vulnerability) was also patched. To exploit this flaw, attackers could use a specially crafted HTML file. They could host a website or take advantage of compromised websites or websites that feature user-provided content. They then typically lure users to the website through email or instant messages. This flaw affects Internet Explorer and Microsoft Edge.
Windows DNS Server, HVEC Video Extensions Bugs
Fixes for seven DNS Server flaws were also disclosed; these consist of five vulnerabilities involving RCE (CVE-2021-26897, CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, and CVE-2021-26895) and two for Denial of Service (CVE-2021-26896 and CVE-2021-27063). While the former allows the deployment of arbitrary code, the latter makes the system unresponsive.
Some concerns have recently been raised about various DNS bugs. Early this month, a proof-of-concept (PoC) exploit was released for CVE-2020-1350, a critical wormable SIGRed Windows DNS Server remote code execution (RCE) vulnerability that existed in the system’s code for over 17 years. On the other hand, CVE-2021-24078, a Windows DNS Server Remote Code Execution Vulnerability, was patched last month.
Other noteworthy bugs are those found in High Efficiency Video Coding (HEVC) Video Extensions. Ten flaws were patched, consisting of three (CVE-2021-24089, CVE-2021-26902 and CVE-2021-27061) rated as Critical and seven deemed as Important.
Recommendations
A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers.
The Trend Micro™ Deep Security™ solution provides network security, system security, and malware prevention. Combined with Vulnerability Protection, it can protect user systems from a wide range of upcoming threats that may target vulnerabilities. Both solutions protect users from exploits that target these vulnerabilities via the following rules:
- 1010854 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
- 1010857 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)
- 1010863 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
- 1010865 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)
- 1010864 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)
TippingPoint® Next-Generation Intrusion Prevention System (NGIPS) is a network traffic solution that uses comprehensive and contextual awareness analysis for advanced threats that exploit vulnerabilities.
TippingPoint protects customers through the following rules:
- 39101: HTTP: Microsoft Exchange Server Side Request Forgery Vulnerability (CVE-2021-26855)
- 39213: DNS: Microsoft Windows DNS Integer Overflow Vulnerability (CVE-2021-26877)
- 39214: HTTP: Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)
- 39218: DNS: Microsoft Windows Server DNS Buffer Overflow Vulnerability (CVE-2021-26897)
- 39219: HTTP: Microsoft SharePoint Unsafe Deserialization Vulnerability (CVE-2021-27076)
- 39221: DNS: Long Dynamic SigRR Update (CVE-2021-26897)