9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Co-authored by Ryan Barnett.
On March 2, 2021, the Microsoft Security Response Center alerted its customers to several critical security updates to Microsoft Exchange Server, addressing vulnerabilities currently under attack.
The United States Computer Emergency Readiness Team Cybersecurity and Infrastructure Security Agency also issued an alert with recommendations on how to mitigate the vulnerabilities.
CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server
Customers that use Akamai Web Application Firewall solutions, Kona Site Defender and Web Application Protector, with the Automated Attack Groups engine have received an automatic update for protection. Akamai recommends that customers using Automated Attack Groups set all their attack groups, but specifically the Web Platform Attack Group, to Deny to prevent these exploitation attempts.
Kona Site Defender customers using Kona Rule Set (KRS) should update their profile and enable newly released rules ID 3000083 and 3000084 in the Total Request Score (Inbound) attack group in order to protect against attempts to exploit the following CVEs:
Akamai recommends that either the attack group or the individual KRS rules be put into Deny mode to protect against attempts to exploit these vulnerabilities.
Akamai’s research and intelligence teams observed that attackers have been quick to automate their target identification and exploitation attempts. A variety of existing controls in Akamai’s security portfolio are designed to detect these attempts:
If you have any questions, please reach out to Akamai Support Services or your account team.
Over the last 48 hours on our global platform we have observed:
Figure: Attack sources; the top number represents the number of requests and the bottom number represents the number of IPs
We’ve confirmed active attempts of exploitation of Microsoft Exchange/Outlook Web Access zero-day vulnerabilities.
Successful exploitation allows an unauthenticated attacker to execute arbitrary code and install webshells on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.
Mitigation and remediation can be achieved by following these steps:
Companies should consider implementing Zero Trust Network Access (ZTNA) to be able to weather software vulnerabilities like these. Unlike the traditional “verify, then trust” model – which means if someone has the correct user credentials, they are admitted to whichever site, app, or device they are requesting – ZTNA dictates that users and devices are never trusted and can only access applications and data after passing a secure authentication and authorization process that does not solely rely on user credentials. You can read more about how ZTNA can protect corporate resources in the context of these Microsoft Exchange vulnerabilities in the blog post, Microsoft Exchange and Verkada Hacks: Isolate Your Apps & APIs from the Internet Cesspool: Isolate Your Apps and APIs from the Internet Cesspool.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P