Microsoft managed to release up to three new patches when it comes to their Exchange Software on Tuesday after the National Security Agency or NSA started the company to a fresh batch of critical vulnerabilities.
The new fixes are intended to be applied to Exchange Server 2013, 2016, and 2019, where the flaws are said to be different vulnerabilities than the ones which were found in March. US Agencies carried on to find as well as remove any vulnerabilities within their systems even after a month after the previous flaws were discovered.
As a response to the release of these new fixes, the White House actually ordered all of its agencies to install them while warning that the vulnerabilities pose an unacceptable risk to all Federal operations.
The Microsoft Exchange’s Server email, as well as calendar software, is used in on-premise data centers, and the popularity of the system was highlighted by the number of reported breaches that followed the discovery of the initial flaws.
A House Statement said: "Microsoft released a set of Exchange patches today that are critical, we urge all owners and operators of Microsoft Exchange Servers to apply these latest patches immediately”.
Exchange server vulnerabilities have caused issues for a number of organizations across the globe, with many servers already being breached and remain still vulnerable through embedded back doors. China-state sponsored hacking group Hafnium was spotted by Microsoft for using the vulnerability to break into Exchange Servers in order to view or steal contents.
#NSA Discovers New Vulnerabilities Affecting #Microsoft Exchange Servers!https://t.co/i1GikOcx4M #infosec #security #cybersecurity #databreach #dataprotection #cyberattack #cybercrime #datatheft #dataprivacy #hacker #malware #DDoS #CISO #ransomware #technology #tech #RT
— 🇮🇳 Amitav Bhattacharjee 🇮🇳 (@bamitav) April 15, 2021
These vulnerabilities ended up being patched by Microsoft, however, backdoors that were embedded within the breached servers were not closed. After a few days, other hacking groups began hitting compromised servers with the same flaws in order to deploy ransomware.
As a result of this, the US court has even authorized FBI operations to copy and remove the backdoors from hundreds of Exchange Servers. The Justice Department said that the operation was successful; however, it only removed the backdoors and didn’t really patch the vulnerabilities which were exploited by the hackers, or remove any malware that had already been left behind.
When it comes to the flaws that were fixed, Microsoft fixed four remote execution (RCE) flaws (CVE-2021-28480 through the CVE-2021-28483 affecting the on-premise Exchange Servers 2013, 2016, and 2019.
Two of the code execution bugs are unauthenticated and require no user interaction, and can carry a CVSS score of 9.8 out of the maximum of 10.
There were 27 RCE Flaws in Windows RPC and other fixes, and Microsoft said that four additional vulnerabilities were publicly known at the time of release but never exploited, and these were:
- CVE-2021-28458 which is Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability
- CVE-2021-27091 which is RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
- CVE-2021-28437 which is Windows Installer Information Disclosure Vulnerability
- CVE-2021-28312 which is Windows NTFS Denial of Service Vulnerability
Aside from this, April’s Patch addressed the other 27 flaws in Remote Procedure Call (RPC) runtime, which is a Hyper-V security feature that can bypass vulnerability (CVE-2021-28444) as well as multiple privilege escalation flaws in the Windows Speech Runtime, Windows Services, and the Controller App.