Microsoft got an early start on Patch Tuesday, releasing a series of out-of-band security updates this week to address four zero-day vulnerabilities in Exchange Server. There’s been a lot of security activity in the news, so I’m sure it is going to be a busy Patch Tuesday.
The Microsoft Security Response Center reported known attacks against Exchange Server by the hacking group Hafnium. The four vulnerabilities involved in the exploit are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. They are all listed as remote code execution vulnerabilities with CVSS v3 base scores ranging from 7.8 to 9.1. Microsoft reported that the attacks are active and external-facing servers should be updated immediately. They’ve also provided a series of PowerShell scripts, which will help identify if you’ve been attacked and other indicators of compromise to look for.
The latest security updates from Microsoft addressing these vulnerabilities will install only on Exchange Server 2013 (CU23), Exchange Server 2016 (CU18 or CU19), and Exchange Server 2019 (CU7 or CU8). You must install the latest cumulative updates before installing the security patches. Early reports from the field indicate the updates apply smoothly following Microsoft’s directions, with a reboot required.
This announcement also included a Defense in Depth security update for Exchange Server 2010 SP3. Exchange Server 2010 is not vulnerable to this specific attack, but Microsoft has addressed some related CVEs in 2010 and advises applying the security update if you are running this older system. Exchange Online is not affected by this attack. On a final note, the next set of cumulative updates coming in March for the three versions of Exchang ..