Security researcher Janggggg (@testanull on Twitter) published a proof-of-concept exploit for CVE-2021-42321, a remote code execution (RCE) vulnerability in Microsoft Exchange that affects on-premises servers running Microsoft Exchange 2016 and 2019, including those using Exchange Hybrid mode.
This exploit enables authenticated threat actors to execute code remotely on vulnerable servers and launch an attack.
Microsoft’s November 2021 Patch Tuesday addresses the vulnerability, so administrators should patch immediately.
A remote code execution vulnerability is always severe because it enables potential threat actors to launch attacks without local access to a machine. Microsoft issued a base metric score of 8.8, which notes high severity.
This vulnerability essentially is a bug in how Exchange allowed certain data to be stored in the BinaryData section of a UserConfiguration on a folder. When a UserConfiguration is set with a payload in the BinaryData and then the attacker requests a ClientAccessToken, it triggers a deserialization bug which results in execution of the payload in BinaryData.
Fortunately, Microsoft’s November patch will mitigate the risk. Plus, threat actors must be authenticated users to take advantage of the bug.
Administrators should immediately install the patches issued in Microsoft’s November Patch Tuesday.
Admins running Exchange servers should also check to see if attackers have attempted to exploit them. Admins can run the following PowerShell query on each server to check for specific events in the Event Log, according to Bleeping Computer:
Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }
In the end this vulnerability and attack does not differ much from previous attacks in 2021. The attack itself has a set number of steps that must be run against an authenticated user, update specific configurations on that user, and then execute the actual vulnerability against the host itself.
This PoC attack requires execution of 4 POSTs in a chain against Exchange with an authenticated user to be successful. It is possible to detect this attack using the following logic, although it may have false positives without some tuning in your environment.
4 POSTs to /ews/exchange.asmx on IIS from a Public IP with User-Agent ExchangeServicesClient/15.01.2308.008 – over a short period of time. This detection will depend heavily on the User Agents seen in your environment and may result in false positives:
src_ip = <Public IP>
AND agent="ExchangeServicesClient/15.01.2308.008"
AND url="/EWS/Exchange.asmx"
AND method="POST"
Otherwise Blumira recommends using Sysmon to detect the same as other Exchange vulnerabilities. By their nature, they require the IIS/Exchange service w3wp.exe to be leveraged to pivot into another process. In these situations we expect to see patterns out of Sysmon process triggering such as:
user LIKE "%DefaultAppPool%"
AND parent_process_name LIKE "%w3wp.exe%"
AND process_name LIKE "%cmd%"
This will tell you whenever your w3wp (IIS) service is spawning command shells and/or similar processes within the process_name, depending on the pivot you’re attempting to identify.
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira can detect activity related to Microsoft Exchange exploits, as well as many other security incidents.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for a free trial to start detecting and mitigating exposure related to Windows vulnerabilities.
Dealing with yet another Microsoft vulnerability before a holiday weekend is frustrating, but Blumira’s security experts can help.
Watch our livestream with Blumira’s Matthew Warner, CTO and Co-Founder, to get your questions answered before you sign off for the holiday.