Aperçu
Microsoft Exchange Server suffers from a critical remote code execution vulnerability in the Unified Messaging feature. The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected Exchange servers without authentication or user interaction. This vulnerability was exploited in widespread attacks and was one of several critical Exchange vulnerabilities disclosed in March 2021. La vulnérabilité a été divulguée le July 14, 2021. CISA a identifié CVE-2021-34473 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
CVE-2021-34473 is a remote code execution vulnerability in Microsoft Exchange Server's Unified Messaging (UM) component. The vulnerability exists in the UM service which handles voice mail and other unified messaging functions. An unauthenticated attacker can send a specially crafted message to the vulnerable Exchange server to trigger arbitrary code execution. The flaw is related to improper handling of deserialization of untrusted data, allowing an attacker to execute code with the privileges of the Exchange service account.
La vulnérabilité est classifiée comme CWE-502 (Deserialization of Untrusted Data) etCWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 10 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the affected Exchange server with the privileges of the Exchange service account. This typically grants SYSTEM-level privileges, enabling attackers to: (1) Steal sensitive data including emails, contacts, and calendar entries; (2) Modify or delete emails; (3) Create new user accounts with administrative privileges; (4) Use the compromised server as a pivot point for lateral movement within the organization; (5) Deploy malware or ransomware; (6) Disable security controls and auditing. This vulnerability has severe business impact as Exchange servers typically contain highly sensitive corporate communications.
Mitigation et contournements
Apply the monthly Cumulative Update (CU) or Exchange Server Update Rollup (UR) released by Microsoft. The official patches are available through Windows Update, Microsoft Update Catalog, or direct download from Microsoft's security bulletin. For each product version: (1) Download the appropriate CU/UR; (2) Stop Exchange services; (3) Run the update installer; (4) Verify functionality; (5) Review log files for installation status. Les versions suivantes incluent les correctifs nécessaires : Exchange Server 2010: SP3 Rollup KB5001042 (2021-03-02) or later, Exchange Server 2013: CU23 or later, Exchange Server 2016: CU19 or later, Exchange Server 2019: CU8 or later.
Comme contournements temporaires : disable unified messaging (um) role if not required in your organization. this eliminates the attack vector without requiring a full exchange upgrade.; implement network-level access controls to restrict access to exchange servers (ports 25, 135-139, 445, 587, 993, 995, 3268, 3269, etc.) to trusted internal networks only. block external smtp connections to unified messaging services.; configure exchange to require authentication for unified messaging services. this typically involves enabling authentication checks in the um service configuration., et install the march 2021 exchange server security updates (kb5001042 and related kb articles) even if full cu update is delayed. these address the immediate rce vulnerability..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
