Code, HTML, php web programming source code. Abstract code background - 3d rendering

New Exchange RCE vulnerability actively exploited

Tim Reed

Tim Reed

Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell. A new high severity Remote Code Execution (RCE) exploit for on-premise Exchange Servers has been published and is being actively exploited in the wild.

The Exchange vulnerability exploit being tracked as CVE-2021-42321, has a CVSSv3 score of 8.8, placing it firmly into the serious category. Thankfully, the issue was patched by Microsoft in this month’s updates, but earlier this week the Proof of Concept (PoC) exploit code was published by security researcher Janggggg, meaning there will likely be an increase in attacks. Janggggg garnered some attention when he released a PoC for the Exchange ProxyShell exploit in August.

This new deserialization exploit targets Exchange Server 2019 and Exchange Server 2016 including those in Exchange Hybrid mode and requires authentication. Previously, Exchange 2013 was thought to be affected but Microsoft updated its guidance on the 17th of November to state it was not.

Exchange Online customers are already protected and are not required to take any further action. Currently, the only known remediation is to apply the November Security Updates for Exchange which were released by Microsoft on 9th November as part of Patch Tuesday.

Microsoft has published some guidance on how updates might be completed, as it may be necessary to update to one of the supported Cumulative Updates (CUs) before applying the security update to remediate the Exchange vulnerability.

To identify servers that need updating, the Exchange Server Health Checker script can be run against your environment. Microsoft also offers the Exchange Update Wizard to help ensure that all necessary updates are installed.

Some users running in Exchange Hybrid mode had reported an issue after installing the update and receiving a “Something went wrong” error. The temporary workaround is to navigate to https://outlook.office.com/owa directly without URL redirects.

The following PowerShell query was also circulated to identify if your server has been targeted:

Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }

As Microsoft Exchange remains a popular target for exploitation, the guidance is to immediately apply the latest security patches to protect your environment. Sentrium can actively help you identify vulnerabilities, for more information take a look at our penetration testing services or contact us today.

Resources

  1. Automated vs manual penetration testing

    Automated vs manual penetration testing – which is best?

    Today’s online world is a little like a virtual battlefield, rife with threats and vulnerabilities. So, having a strong cybersecurity posture for your business is crucial. Penetration testing – either automated or manual – is an essential tool to protect sensitive data and systems from hackers. These two methods aim to make defences stronger against…

    Read more

  2. Mobile application penetration testing

    Safeguard your business with mobile app penetration testing

    Mobile applications have become an essential tool for businesses of all sizes to engage with customers, streamline operations and drive growth. However, the increasing reliance on mobile technology comes with a unique set of security challenges you can’t afford to overlook. Mobile applications introduce new attack surfaces and vulnerabilities that differ from traditional web-based applications.…

    Read more

  3. White box penetration testing

    Uncovering vulnerabilities with white box penetration testing

    As a business owner or IT professional, you understand the importance of protecting your company’s sensitive data, systems and reputation from cyber threats. One of the most effective ways to uncover vulnerabilities and strengthen your organisation’s security posture is through penetration testing, particularly white box penetration testing. White box penetration testing is a comprehensive approach…

    Read more

  4. API penetration testing

    Securing APIs through penetration testing

    APIs (Application Programming Interfaces) have become the backbone of many modern applications, and indeed the foundation of some businesses services. APIs enable seamless communication between applications, services and systems, allowing organisations to innovate, collaborate and deliver value to their customers. However, as reliance on APIs grows, so does the need for robust security measures to…

    Read more

  5. Password cracking: How to crack a password

    An introduction to password security: How to crack a password

    Online Password Cracking An online attack is performed in real-time, against live services or applications to compromise active user accounts. Such attacks typically occur when a malicious actor lacks direct access to the target system or application and aims to gain an initial foothold. The first step in conducting online password attacks involves establishing as…

    Read more

  6. The importance of a post-penetration test action plan

    The importance of a post-penetration test action plan

    As cyber threats continue to evolve and become more sophisticated, businesses must stay one step ahead in protecting their sensitive data and network infrastructure. Penetration testing is an essential tool in this ongoing battle. Penetration testing – also known as pen testing or ethical hacking – is a controlled approach to identifying vulnerabilities in an…

    Read more

Get in touch with our experts to discuss your needs

Get in touch