AttackerKBAKB:BD645B28-C99E-42EA-A606-832F4F534945CVE-2021-27065
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
100.0%
Microsoft Exchange Server Remote Code Execution Vulnerability
Recent assessments:
wvu-r7 at March 10, 2021 7:13am UTC reported:
When used with CVE-2021-26855, an unauthenticated SSRF, CVE-2021-27065 yields unauthed, SYSTEM-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the EAC/ECP interface, which is a privileged and authenticated web interface.
I was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target’s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for EWS, but “OAB” caught my eye due to its published IOCs. (OAB is Microsoft’s implementation of offline address books in Exchange.)
Writing an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are well-documented by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.
cdelafuente-r7 at March 24, 2021 3:26pm UTC reported:
When used with CVE-2021-26855, an unauthenticated SSRF, CVE-2021-27065 yields unauthed, SYSTEM-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the EAC/ECP interface, which is a privileged and authenticated web interface.
I was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target’s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for EWS, but “OAB” caught my eye due to its published IOCs. (OAB is Microsoft’s implementation of offline address books in Exchange.)
Writing an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are well-documented by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4
References
packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
100.0%