Introduction

This vulnerability exists in the Microsoft Exchange server attack chain, and this vulnerability is also known as the SSRF vulnerability. Hackers can use this vulnerability to authenticate user access when a hacker establishes an HTTPS connection.

Vulnerability Severity

This vulnerability has a score of 7.8 and is classified as a high-severity vulnerability. Therefore, enterprises should not underestimate the harm of this vulnerability to enterprises.

Affect version

Microsoft Exchange 2013

Microsoft Exchange 2016

Microsoft Exchange 2019

Microsoft Exchange 2010

Ways to Mitigate Vulnerabilities:

The premise of the initial attack is to be able to establish a connection with port 443 (Exchange server port) in the system, of course, this connection is not trusted. It is thus possible to limit untrusted connections in the system, while also establishing a VPN to protect the Exchange server and external access separately.

Knowledge of this mitigation is temporary as it only prevents the initial part of the attack. Other parts of the attack chain can be triggered when the attacker has access.

Solution

Microsoft has officially updated the relevant security patches to prevent this vulnerability from harming the system

Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

Detection Tool

Microsoft has released a PowerShell script called Test-ProxyLogon.ps1 on GitHub. This script checks whether Microsoft Exchange servers are vulnerable to this vulnerability.

Link: https://github.com/microsoft/CSS-Exchange/tree/main/Security

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2021-26857

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

https://github.com/microsoft/CSS-Exchange/tree/main/Security

https://www.cyber.gc.ca/en/alerts/active-exploitation-microsoft-exchange-vulnerabilities