Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems. The first version was called Exchange Server 4.0, to position it as the successor to the related Microsoft Mail 3.5. Exchange initially used the X.400 directory service but switched to Active Directory later. Until version 5.0, it came bundled with an email client called Microsoft Exchange Client.
On March 2, 2021, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild. Microsoft Threat Intelligence Centre (MSTIC) released details on an active state-sponsored threat campaign. MSTIC attributes this campaign to HAFNIUM, a group “assessed to be state-sponsored and operating out of China.”
The observed exploitation activity included creating web shells for continued access, remote code execution, and reconnaissance for endpoint security solutions. Alliant’s internal threat assessment team investigated the threat further. It revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\SYSTEM, a privileged local account on the Windows operating system.
The actively exploited zero-day vulnerabilities disclosed as part of the HAFNIUM-attributed threat campaign are:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where a program deserializes untrusted user-controllable data. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Microsoft’s Exchange Server team has released a script for IT admins to check if systems are vulnerable to recently-disclosed zero-day bugs. The script has been updated to include compromise (IOCs) indicators linked to four zero-day vulnerabilities found in Microsoft Exchange Server. Details of those scripts are below:
- Test-ProxyLogon.ps1 – Formerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post. It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster. Download Here
The most typical usage of this script is to check all Exchange servers and save the output by using the following syntax from Exchange Management Shell:
Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs
To check the local server only, just run the script:
.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs
To display the results without saving them, drop the -Outpath parameter from either example above:
- ps1 – This mitigation will filter HTTP requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies, which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole. For more information, see the comments at the top of the script. Download Here
- HTTP-vuln-cve2021-26855.nse – This file is for use with Nmap. It detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855). For usage information, please read the top of the file. Download Here