Lucene search

K
attackerkbAttackerKBAKB:BD645B28-C99E-42EA-A606-832F4F534945
HistoryMar 03, 2021 - 12:00 a.m.

CVE-2021-27065

2021-03-0300:00:00
attackerkb.com
407

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.

Recent assessments:

wvu-r7 at March 10, 2021 7:13am UTC reported:

When used with CVE-2021-26855, an unauthenticated SSRF, CVE-2021-27065 yields unauthed, SYSTEM-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the EAC/ECP interface, which is a privileged and authenticated web interface.

I was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target’s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for EWS, but “OAB” caught my eye due to its published IOCs. (OAB is Microsoft’s implementation of offline address books in Exchange.)

Writing an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are well-documented by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.

cdelafuente-r7 at March 24, 2021 3:26pm UTC reported:

When used with CVE-2021-26855, an unauthenticated SSRF, CVE-2021-27065 yields unauthed, SYSTEM-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the EAC/ECP interface, which is a privileged and authenticated web interface.

I was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target’s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for EWS, but “OAB” caught my eye due to its published IOCs. (OAB is Microsoft’s implementation of offline address books in Exchange.)

Writing an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are well-documented by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%