ANNOUNCEMENT: Security On-Demand Announces Grant Award of $1.2 Million | SEE RELEASE →

PR Banner

Microsoft Exchange Server Remote Code Execution Vulnerability

9 November, 2021

Executive Summary

Microsoft issued a warning regarding a newly discovered post-authentication vulnerability in on-premises Exchange Server 2016 and 2019 that can allow an authenticated attacker to perform remote code execution on a vulnerable exchange server. Microsoft has released security patches to fix this flaw in their November 2021 Exchange Security Updates. This vulnerability does not affect Microsoft Exchange Online customers.

Details

CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability

Due to a flaw in how Microsoft Exchange Server handles the validation of command-let (cmdlet) arguments, a threat actor is able to perform remote code execution on the vulnerable server.

In order to exploit this flaw, an attacker must be authenticated to the vulnerable server, thus somewhat limiting attacker capabilities. However, Microsoft has observed “limited targeted attacks” attempting to exploit this vulnerability in the wild.

Affected versions:

Microsoft Exchange Server 2016, Cumulative update 21 & 22

Microsoft Exchange Server 2019, Cumulative update 10 & 11

Recommendations

Microsoft has released an official fix with their November Patch Tuesday Security updates to address this vulnerability.  It is recommended to update to the latest version of Microsoft Exchange 2016 and 2019 per Microsoft’s update path, listed in their November Security blog post.

Additionally, Microsoft has supplied a PowerShell script to check for specific events of exploitation for this vulnerability.

PowerShell Script
Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }

 

SOD Actions

At this time, Security On-Demand recommends following Microsoft’s supplied update path for their November Patch Tuesday updates for Exchange Server 2013, 2016 and 2019.

If potential exploitation has occurred, run the provided script to narrow down the specific events and engage your incident response procedures appropriately.

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates.

Sources

CVE-2021-42321 – Microsoft Threat Advisory

Microsoft Security Update – November 2021 Exchange Server Security Updates

Microsoft Exchange Bug – Bleeping Computer News Post