fb
Homepage 5 Blog 5 Microsoft Patch Tuesday, March 2021 Review

Microsoft Patch Tuesday, March 2021 Review

Manage remote endpoints, deploy software and patches with a robust cloud-based Action1 RMM solution. Start your 2-week trial or use free forever for up to 50 endpoints.



The seven Microsoft Exchange Server Vulnerabilities

Four of the seven bugs addressed in last Tuesday’s patch release were zero-day vulnerabilities that had already been exploited in the wild, possibly for months and affecting thousands of organizations. Microsoft describes the four vulnerabilities as part of an active attack chain that begins with an untrusted connection to the Exchange Server via port 443. The rest of the attack hinges on whether the actor can gain administrative access to the server.

Back in January, Volexity noted abnormal activities in two of its customers’ Microsoft Exchanger accounts. At the time, these accounts were sending a lot of data to an unknown external IP address. Upon closer inspection, Volexity ruled out the possibility of a server backdoor and discovered a zero-day server-side request forgery (SSRF) vulnerability. The security bug tagged CVE-2021-26855 is a remote code execution vulnerability that enabled the hacker to steal data from several Microsoft Exchange mailboxes.

According to Volexity, the exploit does not need any authentication, remote or otherwise, or any prior technical knowledge of the server environment. The attacker only needs to identify the server running MS Exchange and the target account.

CVE-2021-26857 is an insecure deserialization RCE vulnerability that allowed hackers to run code as SYSTEM on Microsoft Exchange Server. Running the code would require administrator permission or a separate exploit such as a malware injection.

CVE-2021-27065 and CVE-2021-26858 are arbitrary-file-write remote code execution vulnerabilities that enabled an attacker to write a file on the server. The file write could only be possible after privileged access to the server through a successful CVE-2021-26855 exploit or stolen admin credentials.

Microsoft also addressed three more RCE bugs not related to any known attacks. These were:

According to Microsoft, any externally facing servers running Exchange Server 2013, 2016, or 2019 are in danger of these exploits. Microsoft Exchange Online and Server 2010 SP3 are not vulnerable to any of these exploits. Microsoft has highlighted some of the indicators of an imminent or progressing attack and a PowerShell tool to identify various exploit markers.

There were several reported attacks on Exchange Server accounts, mostly targeted at infectious disease researchers, learning institutions, NGOs, and law firms in the US. But there were also several attacks reported in Asia, Europe, and the Middle East. Microsoft Threat Intelligence Center (MSTIC) identified the actor as Hafnium, an allegedly state-sponsored group of hackers operating from China.

Two more zero-day vulnerabilities fixed

The first is tracked as CVE-2021-26411, a memory corruption vulnerability affecting Internet Explorer and Microsoft Edge (EdgeHTML-Based). Microsoft marked this CVE as ‘critical’ and under active attack. The vulnerability allows an attacker to run malicious code on the client’s system if the browser accesses a specially crafted HTML page. The actors could either create a fake website or infect a legitimate site with a malicious payload. Google’s Threat Analysis Group first disclosed this exploit back in January, believed to be perpetrated by the Lazarus group. Later in early February, researchers at ENKI, a South Korean cybersecurity firm, reported the same attack that seemed to target security researchers.

Another zero-day vulnerability tracked as CVE-2021-27077 was also fixed in March’s patch release. The bug affects win32k, which is responsible for displaying data on a Windows screen. This Elevation of Privilege Vulnerability only scores a 7.8 CVSS since there were no reported exploits before the patch. An attacker might leverage this vulnerability to elevate their privilege beyond whatever user account level they have already compromised.

Other ‘critical’ and ‘important’ fixes

Windows DNS Server RCE and DoS vulnerabilities

The five CVEs: CVE-2021-26894CVE-2021-26877CVE-2021-26895CVE-2021-26897, and CVE-2021-26893, are Remote Code Execution vulnerabilities in Windows DNS servers. All these score 9.8 on the CVSS metrics, but only CVE-2021-268 97 is considered critical. They could be exploited during dynamic updates. CVE-2021-27063 and CVE-2021-26896 are DoS bugs that could be exploited to exhaust the target server’s resources, causing it to be unresponsive.

Windows Hyper-V RCE vulnerability

Authorized attackers could exploit CVE-2021-26867 to execute code on the Hyper-V server clients using the Plan 9 file system (9P). This bug has a CVSS of 9.9, although Microsoft rates its exploit as ‘less likely.’

Other noteworthy patches include fixes for:

Patch Your Systems

This month’s Patch Tuesday disclosed several serious flaws needing immediate patching. For the Exchange Server vulnerabilities, patching alone is not enough. Microsoft recommends probing vulnerable servers for signs of an attack and cleaning up any detectable exploits, even after installing the latest patch.

As usual, be sure to update all your Windows systems after every patch or cumulative update release. Next month’s Patch Tuesday is scheduled for April 13. Stay tuned for more security update news from Microsoft.Word count: 890/800The text has been certified 100% original by CopyscapeApprove project

CVE-2021-27065 and CVE-2021-26858 are arbitrary-file-write remote code execution vulnerabilities that enabled an attacker to write a file on the server. The file write could only be possible after privileged access to the server through a successful CVE-2021-26855 exploit or stolen admin credentials.

Microsoft also addressed three more RCE bugs not related to any known attacks. These were:

According to Microsoft, any externally facing servers running Exchange Server 2013, 2016, or 2019 are in danger of these exploits. Microsoft Exchange Online and Server 2010 SP3 are not vulnerable to any of these exploits. Microsoft has highlighted some of the indicators of an imminent or progressing attack and a PowerShell tool to identify various exploit markers.

There were several reported attacks on Exchange Server accounts, mostly targeted at infectious disease researchers, learning institutions, NGOs, and law firms in the US. But there were also several attacks reported in Asia, Europe, and the Middle East. Microsoft Threat Intelligence Center (MSTIC) identified the actor as Hafnium, an allegedly state-sponsored group of hackers operating from China.

Two more zero-day vulnerabilities fixed

The first is tracked as CVE-2021-26411, a memory corruption vulnerability affecting Internet Explorer and Microsoft Edge (EdgeHTML-Based). Microsoft marked this CVE as ‘critical’ and under active attack. The vulnerability allows an attacker to run malicious code on the client’s system if the browser accesses a specially crafted HTML page. The actors could either create a fake website or infect a legitimate site with a malicious payload. Google’s Threat Analysis Group first disclosed this exploit back in January, believed to be perpetrated by the Lazarus group. Later in early February, researchers at ENKI, a South Korean cybersecurity firm, reported the same attack that seemed to target security researchers.

Another zero-day vulnerability tracked as CVE-2021-27077 was also fixed in March’s patch release. The bug affects win32k, which is responsible for displaying data on a Windows screen. This Elevation of Privilege Vulnerability only scores a 7.8 CVSS since there were no reported exploits before the patch. An attacker might leverage this vulnerability to elevate their privilege beyond whatever user account level they have already compromised.

Other ‘critical’ and ‘important’ fixes

Windows DNS Server RCE and DoS vulnerabilities

The five CVEs: CVE-2021-26894CVE-2021-26877CVE-2021-26895CVE-2021-26897, and CVE-2021-26893, are Remote Code Execution vulnerabilities in Windows DNS servers. All these score 9.8 on the CVSS metrics, but only CVE-2021-26897 is considered critical. They could be exploited during dynamic updates. CVE-2021-27063 and CVE-2021-26896 are DoS bugs that could be exploited to exhaust the target server’s resources, causing it to be unresponsive.

Windows Hyper-V RCE vulnerability

Authorized attackers could exploit CVE-2021-26867 to execute code on the Hyper-V server clients using the Plan 9 file system (9P). This bug has a CVSS of 9.9, although Microsoft rates its exploit as ‘less likely.’

Other noteworthy patches include fixes for:

Stay updated

This month’s Patch Tuesday disclosed several serious flaws needing immediate patching. For the Exchange Server vulnerabilities, patching alone is not enough. Microsoft recommends probing vulnerable servers for signs of an attack and cleaning up any detectable exploits, even after installing the latest patch.

As usual, be sure to update all your Windows systems after every patch or cumulative update release. Next month’s Patch Tuesday is scheduled for April 13. Stay tuned for more security update news from Microsoft.Word count: 890/800The text has been certified 100% original by CopyscapeApprove project

Four of the seven bugs addressed in last Tuesday’s patch release were zero-day vulnerabilities that had already been exploited in the wild, possibly for months. Microsoft describes the four vulnerabilities as part of an active attack chain that begins with an untrusted connection to the Exchange Server via port 443. The rest of the attack hinges on whether the actor can gain administrative access to the server.

Back in January, Volexity noted abnormal activities in two of its customers’ Microsoft Exchanger accounts. At the time, these accounts were sending a lot of data to an unknown external IP address. Upon closer inspection, Volexity ruled out the possibility of a server backdoor and discovered a zero-day server-side request forgery (SSRF) vulnerability. The security bug tagged CVE-2021-26855 is a remote code execution vulnerability enabling the hacker to steal data from several Microsoft Exchange mailboxes.

According to Volexity, the exploit does not need any authentication, remote or otherwise, or any prior technical knowledge of the server environment. The attacker only needs to identify the server running MS Exchange and the target account.

CVE-2021-26857 is an insecure deserialization RCE vulnerability that allowed hackers to run code as SYSTEM on Microsoft Exchange Server. Running the code would require administrator permission or a separate exploit such as a malware injection.

CVE-2021-27065 and CVE-2021-26858 are arbitrary-file-write remote code execution vulnerabilities that enabled an attacker to write a file on the server. The file write could only be possible after privileged access to the server through a successful CVE-2021-26855 exploit or stolen admin credentials.

Microsoft also addressed three more RCE bugs not related to any known attacks. These were:

About the attacks and perpetrators

There were several reported attacks on Exchange Server accounts, mostly targeted at infectious disease researchers, learning institutions, NGOs, and law firms in the US. But there were also several attacks reported in Asia, Europe, and the Middle East. Microsoft Threat Intelligence Center (MSTIC) identified the actor as Hafnium, an allegedly state-sponsored group of hackers operating from China. Microsoft explained that Hafnium is a group of highly skilled and sophisticated threat actors with a knack for US state secrets.

Hafnium perpetrated the attacks by deploying malicious web shells on already compromised servers. These shells would enable the attacker to steal data from the server. For instance, the actors could download the offline address book containing vital corporate information, mailbox data, and even account credentials from compromised servers.

Other espionage groups have also exploited the SSRF vulnerability (CVE-2021-26855) to target government assets in various countries.

Who is vulnerable?

All four vulnerabilities affect Exchange Server 2013, 2016, and 2019. Despite being a much earlier build, Microsoft Exchange Server 2010 SP3 is not vulnerable to any of the four exploits. The bugs only affect Exchange Offline. Exchange Online is safe from these specific attacks.

The attacks targeted dozens of private companies, not just government-related agencies and public organizations. And although there is no proof of concept at this time, there is a big possibility that these attacks have been running undetected for a couple of months now. Volexity had been tracking the exploit for nearly two months and is still one of the first groups credited with discovering the attack chain and the possible exploits.

According to Microsoft, any externally facing servers running Exchange Server 2013, 2016, or 2019 are in danger of these exploits. Microsoft has highlighted some of the indicators of an imminent or progressing attack and the procedures to identify various attack markers.

Recommended action

Microsoft’s recommendation is to install the newly released updates on all vulnerable systems immediately to protect corporate information from possible attacks. Servers running on older Exchange Server cumulative may need to be updated to the latest rollout version in order to accept the new security fixes.

Since the first stage of the attack requires a connection to the server via port 443, Microsoft says it can be prevented by restricting untrusted connections or separating the Exchange Server from external networks via a VPN. If this initial portion of the attack fails, the rest of the chain breaks down.

Stay updated

The week leading up to this month’s out-of-band patch release was quite eventful. This release batch may even overshadow the upcoming official Patch Tuesday. But anyway, we’ll just have to wait and see what Microsoft has in store.

After realizing just how intrusive and devastating an Exchange Server attack can be, now might be a good time to learn more about defending your Exchange Server from all forms of attacks. The important thing to remember is to keep all systems up-to-date and follow security patch news and releases to stay informed on new zero-day exploits and other risks.

Never Miss an Update with Action1 Patch Management Solution

New patches and features updates present opportunities to improve your IT performance and safeguard your digital assets against internal and external threats. It’s up to you to ensure that these patches are installed correctly and promptly to avoid compromising your IT security posture and efficiency.

With the Action1 patch management solution, you never have to worry about patches or other updates on your Windows systems. Action1 enables automated patching on Windows OS and features while allowing real-time control and visibility into the updates already installed and those that are missing. Our patch manager reinforces your endpoint security by automatically scanning and deploying all the necessary Windows updates as soon as they’re released.

Start your Action1 free trial today and sample the freedom, peace of mind, convenience, and reassurance of protecting your software infrastructure using the most robust and dependable automated patch management solution.

March 9, 2021

Related Articles

MSP Pricing Models Guide: Achieving MSP Profitability in 2021

MSP Pricing Models Guide: Achieving MSP Profitability in 2021

Managed IT services is one of the fastest-growing and most lucrative sectors of the business tech industry. The global IT services market is on track to hit $1.1 trillion by 2026, registering an 8.02 CAGR between 2021 and 2026. Although the managed IT market is...

Sure Strategies and Ways to Prevent Cyber Attacks

Sure Strategies and Ways to Prevent Cyber Attacks

Cybercriminals have been leveraging the latest in technology to plan and execute sophisticated cyberattacks. They use artificial intelligence, the Internet of things (IoT), bots, etc., to execute malware installations, ransomware infections, man-in-the-middle (MITM)...

About Action1 RMM

Action1 RMM is a cloud-based IT solution for remote monitoring and management, patching, and remote support.

Start your free two-week trial of Action1, or use RMM tools for free forever on 50 endpoints with no functionality limitations!



0 Comments

Submit a Comment

Your email address will not be published.

cloud patch management solutions action1

MSP Solution

Centralize endpoint management and boost efficiency of IT service delivery.

automated server patch management action compliance

Patch Management

Identify and deploy missing OS and third-party software updates.

cloud software deployment tools windows

Software Deployment

Distribute software and updates across managed endpoints.

software distribution tools software inventory action1

IT Asset Inventory

Keep a detailed inventory and manage hardware and software assets.

web client remote desktop

Remote Desktop

Support users via seamless remote desktop connection.

web based rdp client

Unattended Access

Provide administrative support and manage remote devices.

automated patch management action1

Endpoint Management

Run PowerShell, custom scripts, reboot computers and restart services.

API integrations action1

RESTful API

Integrate Action1 RMM to your IT ecosystem.

computer inventory tool for compliance

Reports and Alerts

Conduct endpoint security audits with comprehensive reporting.