Microsoft issued an update to its recent March Cumulative Update for its Exchange Server platform aimed at patching four critical vulnerabilities that have recently become exploits.
Today's March 9, 2021, update follows a previously issued emergency patch for its 2013, 2016, and 2019 Exchange Server products that have become the recent targets of cyberattacks from a presumed nation-state. Internally, Microsoft is tracking CVE-2021-26855, CVE-2021-26857, CVE 2021-26858, and CVE-202-27065 as the four identifiable flaws within its various Exchange Server platforms for on-premise setups.
Microsoft's community support forum details the steps admins can use to temporarily patch the vulnerabilities within their systems against the latest cyberattack.
- These updates must be installed from an elevated command prompt:
- Download the update but do not run it immediately.
- Temporarily disable file-level antivirus software
- Select Start, and type CMD.
- In the results, right-click Command Prompt, and then select Run as administrator.
- If the User Account Control dialog box appears, choose Yes, and then select Continue.
- Type the full path of the .msp file, and then press Enter.
- After the installation is finished, re-enable the antivirus software, and then restart the computer. (You might be prompted by the installer to restart.)
Among the additional crucial bits of protection, the community support blog also hosts information that includes the limitations to Microsoft's support of affected Exchange Servers. Embedded within Microsoft's community support blog is the company's explanation on why it's currently racing to patch and protect previously unsupported platforms as well as the distinction that these new updates should not infer future support.
These update packages contain only fixes for March 2021 CVEs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065); no other product updates or security fixes are included. Installing these updates does not mean an unsupported CU is now supported.
Today's update comes as an acknowledgment by Microsoft that its on-premise Exchange Server has become the highlighted target of malicious online attacks twice within a year or so. While not the scale of SolarWinds, the Hafnium cyberattack has been running for some time and is in its own right has the potential to be crippling.
An estimated 18,000 organizations worldwide are potentially affected by the Hafnium cyberattack. The list of vulnerabilities for the affected Exchange servers includes Server-Side Request Forgery for HPPT requests that don't require authentication, insecure decentralization at the SYSTEM level, and write paths to post-authentication arbitrary file writes.
Back in late February, Microsoft was brought before Congress to answer questions regarding the massive SolarWinds cyberattack, and it stands to reason the company will be questioned about this most recent attack and what steps it's going to take going forward to mitigate this level and occurrence of cyber-attacks to its older on-premise Exchange Servers.