ID CVE-2021-26854 Type cve Reporter cve@mitre.org Modified 2021-03-09T17:47:00
Description
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
{"id": "CVE-2021-26854", "bulletinFamily": "NVD", "title": "CVE-2021-26854", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.", "published": "2021-03-03T00:15:00", "modified": "2021-03-09T17:47:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26854", "reporter": "cve@mitre.org", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854"], "cvelist": ["CVE-2021-26854"], "type": "cve", "lastseen": "2021-03-10T14:41:56", "edition": 3, "viewCount": 60, "enchantments": {"dependencies": {"references": [{"type": "mscve", "idList": ["MS:CVE-2021-26855", "MS:CVE-2021-26854", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065"]}, {"type": "attackerkb", "idList": ["AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL"]}], "modified": "2021-03-10T14:41:56", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1"]}], "modified": "2021-03-10T14:41:56"}, "score": {"value": 3.5, "vector": "NONE", "modified": "2021-03-10T14:41:56", "rev": 2}, "twitter": {"counter": 13, "tweets": [{"link": "https://twitter.com/SecureNetIT/status/1367180472254689282", "text": "Microsoft addressed four zero-days:\nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065\nand...\nCVE-2021-27078, CVE-2021-26854, and CVE-2021-26412"}, {"link": "https://twitter.com/threatintelctr/status/1367115066865246218", "text": " NEW: CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. https://t.co/HGARyjYz0D?amp=1"}, {"link": "https://twitter.com/vigilance_fr/status/1367084603429842944", "text": "Vigil@nce /hashtag/Vuln\u00e9rabilit\u00e9?src=hashtag_click de Microsoft Exchange Server : multiples vuln\u00e9rabilit\u00e9s. https://t.co/9osizV8mIJ?amp=1 R\u00e9f\u00e9rences : /hashtag/CVE?src=hashtag_click-2021-26412, /hashtag/CVE?src=hashtag_click-2021-26854, /hashtag/CVE?src=hashtag_click-2021-26855. /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/GrupoICA_Ciber/status/1369574101329805313", "text": "MICROSOFT\nM\u00faltiples vulnerabilidades de severidad alta en productos MICROSOFT: \n\nCVE-2021-24091,CVE-2021-24111,CVE-2021-26854,CVE-2021-26855,CVE-2021-26412\n\nM\u00e1s info en: https://t.co/aouKs29xSn?amp=1\n/hashtag/ciberseguridad?src=hashtag_click /hashtag/grupoica?src=hashtag_click /hashtag/microsoft?src=hashtag_click"}, {"link": "https://twitter.com/threatintelctr/status/1369009892636438528", "text": " NEW: CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065. Severity: HIGH https://t.co/9xJhn4QwoW?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1367115066827550730", "text": " NEW: CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. https://t.co/tuzbVWdnwh?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1367115066852671492", "text": " NEW: CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078. https://t.co/ptWWZ3IiPz?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1367115066877870091", "text": " NEW: CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065. https://t.co/9xJhn4QwoW?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1375281456583348225", "text": " NEW: CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. Severity: CRITICAL https://t.co/nqK8LzU62W?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1375296549715070976", "text": " NEW: CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. Severity: CRITICAL https://t.co/nqK8LAbHrw?amp=1"}], "modified": "2021-03-10T14:41:56"}, "vulnersScore": 3.5}, "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "affectedSoftware": [{"cpeName": "microsoft:exchange_server", "name": "microsoft exchange server", "operator": "eq", "version": "2016"}, {"cpeName": "microsoft:exchange_server", "name": "microsoft exchange server", "operator": "eq", "version": "2016"}, {"cpeName": "microsoft:exchange_server", "name": "microsoft exchange server", "operator": "eq", "version": "2013"}, {"cpeName": "microsoft:exchange_server", "name": "microsoft exchange server", "operator": "eq", "version": "2019"}, {"cpeName": "microsoft:exchange_server", "name": "microsoft exchange server", "operator": "eq", "version": "2019"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854", "refsource": "MISC", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "scheme": null, "immutableFields": []}
{"mscve": [{"lastseen": "2021-03-18T19:14:18", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-26854"], "description": "\n", "modified": "2021-03-02T08:00:00", "published": "2021-03-02T08:00:00", "id": "MS:CVE-2021-26854", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26854", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T19:14:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-0940", "CVE-2018-0941", "CVE-2018-0986", "CVE-2018-8151", "CVE-2018-8152", "CVE-2018-8154", "CVE-2018-8159", "CVE-2018-8265", "CVE-2018-8302", "CVE-2018-8448", "CVE-2018-8581", "CVE-2018-8604", "CVE-2019-0586", "CVE-2019-0588", "CVE-2019-0686", "CVE-2019-0724", "CVE-2019-0817", "CVE-2019-0858", "CVE-2019-1084", "CVE-2019-1136", "CVE-2019-1137", "CVE-2019-1233", "CVE-2019-1266", "CVE-2019-1373", "CVE-2020-0688", "CVE-2020-0692", "CVE-2020-0903", "CVE-2020-16875", "CVE-2020-16969", "CVE-2020-17083", "CVE-2020-17084", "CVE-2020-17085", "CVE-2020-17117", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17143", "CVE-2020-17144", "CVE-2020-24085", "CVE-2020-26412", "CVE-2020-26854", "CVE-2021-1730", "CVE-2021-24085", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "description": "\n", "modified": "2021-03-16T07:00:00", "id": "MS:CVE-2021-26855", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855", "published": "2021-03-02T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-18T19:14:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-0940", "CVE-2018-0941", "CVE-2018-0986", "CVE-2018-8151", "CVE-2018-8152", "CVE-2018-8154", "CVE-2018-8159", "CVE-2018-8265", "CVE-2018-8302", "CVE-2018-8448", "CVE-2018-8581", "CVE-2018-8604", "CVE-2019-0586", "CVE-2019-0588", "CVE-2019-0686", "CVE-2019-0724", "CVE-2019-0817", "CVE-2019-0858", "CVE-2019-1084", "CVE-2019-1136", "CVE-2019-1137", "CVE-2019-1233", "CVE-2019-1266", "CVE-2019-1373", "CVE-2020-0688", "CVE-2020-0692", "CVE-2020-0903", "CVE-2020-16875", "CVE-2020-16969", "CVE-2020-17083", "CVE-2020-17084", "CVE-2020-17085", "CVE-2020-17117", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17143", "CVE-2020-17144", "CVE-2020-24085", "CVE-2020-26412", "CVE-2020-26854", "CVE-2021-1730", "CVE-2021-24085", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "description": "\n", "modified": "2021-03-16T07:00:00", "id": "MS:CVE-2021-27065", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065", "published": "2021-03-02T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-18T19:14:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-0940", "CVE-2018-0941", "CVE-2018-0986", "CVE-2018-8151", "CVE-2018-8152", "CVE-2018-8154", "CVE-2018-8159", "CVE-2018-8265", "CVE-2018-8302", "CVE-2018-8448", "CVE-2018-8581", "CVE-2018-8604", "CVE-2019-0586", "CVE-2019-0588", "CVE-2019-0686", "CVE-2019-0724", "CVE-2019-0817", "CVE-2019-0858", "CVE-2019-1084", "CVE-2019-1136", "CVE-2019-1137", "CVE-2019-1233", "CVE-2019-1266", "CVE-2019-1373", "CVE-2020-0688", "CVE-2020-0692", "CVE-2020-0903", "CVE-2020-16875", "CVE-2020-16969", "CVE-2020-17083", "CVE-2020-17084", "CVE-2020-17085", "CVE-2020-17117", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17143", "CVE-2020-17144", "CVE-2020-24085", "CVE-2020-26412", "CVE-2020-26854", "CVE-2021-1730", "CVE-2021-24085", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "description": "\n", "modified": "2021-03-16T07:00:00", "id": "MS:CVE-2021-26858", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858", "published": "2021-03-02T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-18T19:14:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-0940", "CVE-2018-0941", "CVE-2018-0986", "CVE-2018-8151", "CVE-2018-8152", "CVE-2018-8154", "CVE-2018-8159", "CVE-2018-8265", "CVE-2018-8302", "CVE-2018-8448", "CVE-2018-8581", "CVE-2018-8604", "CVE-2019-0586", "CVE-2019-0588", "CVE-2019-0686", "CVE-2019-0724", "CVE-2019-0817", "CVE-2019-0858", "CVE-2019-1084", "CVE-2019-1136", "CVE-2019-1137", "CVE-2019-1233", "CVE-2019-1266", "CVE-2019-1373", "CVE-2020-0688", "CVE-2020-0692", "CVE-2020-0903", "CVE-2020-16875", "CVE-2020-16969", "CVE-2020-17083", "CVE-2020-17084", "CVE-2020-17085", "CVE-2020-17117", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17143", "CVE-2020-17144", "CVE-2020-24085", "CVE-2020-26412", "CVE-2020-26854", "CVE-2021-1730", "CVE-2021-24085", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "description": "\n", "modified": "2021-03-16T07:00:00", "id": "MS:CVE-2021-26857", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857", "published": "2021-03-02T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-03-25T18:19:46", "bulletinFamily": "info", "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at March 24, 2021 2:49pm UTC reported:\n\nThree [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) exploiting this vulnerability have been added to Metasploit:\n\n 1. A scanner module that checks if the target is vulnerable to this Server-Side Request Forgery. \n\n 2. An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. \n\n 3. An exploit module that leverages an unauthenticated Remote Code Execution. This allows execution of arbitrary commands as the SYSTEM user. This module takes advantage of the same SSRF vulnerability and also of a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065>). \n\n\nThe auxiliary module (2) leverages this SSRF to retrieve the internal Exchange server name and query the [Autodiscover service](<https://docs.microsoft.com/en-us/Exchange/architecture/client-access/autodiscover>) to retrieve other internal data. All of this is done without authentication through the Exchange Admin Center (EAC), usually located at `https://<ServerFQDN>/ecp`, so it needs to be accessible. It finally `POST`s to the EWS endpoint to dump emails, contacts, etc. Note that this exploit needs at least two Exchange servers to work. One is the host the module directly sends requests to and the other server is the internal resource the SSRF targets.\n\nThe exploit module (3) follows the same workflow but retrieves extra information such as the user SID, session ID, canary value, etc. Then, still using the SSRF, the module exploits the arbitrary-file-write vulnerability (CVE-2021-27065) to create a custom `.aspx` web page that embeds a web shell. Finally, once this backdoor is planted, it uses it to stage the actual payload and execute it. Note that, for this exploit to work, the email address used needs to be the email address of an Administrator on the Exchange server. It is not really something difficult to obtain, as long as you know the name of an admin and the email pattern used internally.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**wvu-r7** at March 09, 2021 7:01am UTC reported:\n\nThree [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) exploiting this vulnerability have been added to Metasploit:\n\n 1. A scanner module that checks if the target is vulnerable to this Server-Side Request Forgery. \n\n 2. An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. \n\n 3. An exploit module that leverages an unauthenticated Remote Code Execution. This allows execution of arbitrary commands as the SYSTEM user. This module takes advantage of the same SSRF vulnerability and also of a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065>). \n\n\nThe auxiliary module (2) leverages this SSRF to retrieve the internal Exchange server name and query the [Autodiscover service](<https://docs.microsoft.com/en-us/Exchange/architecture/client-access/autodiscover>) to retrieve other internal data. All of this is done without authentication through the Exchange Admin Center (EAC), usually located at `https://<ServerFQDN>/ecp`, so it needs to be accessible. It finally `POST`s to the EWS endpoint to dump emails, contacts, etc. Note that this exploit needs at least two Exchange servers to work. One is the host the module directly sends requests to and the other server is the internal resource the SSRF targets.\n\nThe exploit module (3) follows the same workflow but retrieves extra information such as the user SID, session ID, canary value, etc. Then, still using the SSRF, the module exploits the arbitrary-file-write vulnerability (CVE-2021-27065) to create a custom `.aspx` web page that embeds a web shell. Finally, once this backdoor is planted, it uses it to stage the actual payload and execute it. Note that, for this exploit to work, the email address used needs to be the email address of an Administrator on the Exchange server. It is not really something difficult to obtain, as long as you know the name of an admin and the email pattern used internally.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2021-03-03T00:00:00", "published": "2021-03-03T00:00:00", "id": "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "href": "https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855", "type": "attackerkb", "title": "CVE-2021-26855", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-11T18:15:14", "bulletinFamily": "info", "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 03, 2021 6:59pm UTC reported:\n\nAs per [Microsoft\u2019s blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on Exchange Server 0day use by the HAFNIUM actors, [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a deserialization vulnerability in Exchange Server\u2019s Unified Messaging (voicemail) service. Exploiting the vulnerability reportedly requires admin access or chaining with another vuln (likely [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)), but successful exploitation results in RCE as the `SYSTEM` account. This vulnerability would ideally be combined with an [auth bypass](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>), which CVE-2021-26855 may very well provide.\n\nI took a look at CVE-2021-26857 last night and came up with the following patch diff:\n \n \n --- exchange.unpatched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:54:18.000000000 -0600\n +++ exchange.patched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:55:19.000000000 -0600\n @@ -1,742 +1,886 @@\n \ufeffusing System;\n +using System.Collections.Generic;\n using System.Globalization;\n using System.IO;\n +using System.Runtime.Serialization;\n +using Microsoft.Exchange.Compliance.Serialization.Formatters;\n +using Microsoft.Exchange.Data;\n +using Microsoft.Exchange.Data.Common;\n using Microsoft.Exchange.Data.Directory;\n using Microsoft.Exchange.Data.Directory.Recipient;\n using Microsoft.Exchange.Data.Directory.SystemConfiguration;\n using Microsoft.Exchange.Data.Storage;\n using Microsoft.Exchange.Diagnostics;\n using Microsoft.Exchange.Diagnostics.Components.UnifiedMessaging;\n using Microsoft.Exchange.ExchangeSystem;\n using Microsoft.Exchange.TextProcessing.Boomerang;\n using Microsoft.Exchange.UM.UMCommon;\n +using Microsoft.Mapi;\n \n namespace Microsoft.Exchange.UM.UMCore\n {\n \tinternal abstract class PipelineContext : DisposableBase, IUMCreateMessage\n \t{\n \t\tinternal PipelineContext()\n \t\t{\n \t\t}\n \n \t\tinternal PipelineContext(SubmissionHelper helper)\n \t\t{\n \t\t\tbool flag = false;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tthis.helper = helper;\n \t\t\t\tthis.cultureInfo = new CultureInfo(helper.CultureInfo);\n \t\t\t\tflag = true;\n \t\t\t}\n \t\t\tfinally\n \t\t\t{\n \t\t\t\tif (!flag)\n \t\t\t\t{\n \t\t\t\t\tthis.Dispose();\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tpublic MessageItem MessageToSubmit\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageToSubmit;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic string MessageID\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageID;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageID = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal abstract Pipeline Pipeline { get; }\n \n \t\tinternal Microsoft.Exchange.UM.UMCommon.PhoneNumber CallerId\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerId;\n \t\t\t}\n \t\t}\n \n \t\tinternal Guid TenantGuid\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.TenantGuid;\n \t\t\t}\n \t\t}\n \n \t\tinternal int ProcessedCount\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.processedCount;\n \t\t\t}\n \t\t}\n \n \t\tinternal ExDateTime SentTime\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.sentTime;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.sentTime = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal CultureInfo CultureInfo\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.cultureInfo;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string HeaderFileName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\tif (string.IsNullOrEmpty(this.headerFileName))\n \t\t\t\t{\n \t\t\t\t\tGuid guid = Guid.NewGuid();\n \t\t\t\t\tthis.headerFileName = Path.Combine(Utils.VoiceMailFilePath, guid.ToString() + \".txt\");\n \t\t\t\t}\n \t\t\t\treturn this.headerFileName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.headerFileName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerAddress\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerAddress;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerAddress = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerIdDisplayName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerIdDisplayName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerIdDisplayName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string MessageType\n \t\t{\n \t\t\tinternal get\n \t\t\t{\n \t\t\t\treturn this.messageType;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.messageType = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareUnProtectedMessage()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext:PrepareUnProtectedMessage.\", Array.Empty<object>());\n \t\t\tusing (DisposeGuard disposeGuard = default(DisposeGuard))\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = MessageItem.CreateInMemory(StoreObjectSchema.ContentConversionProperties);\n \t\t\t\tdisposeGuard.Add<MessageItem>(this.messageToSubmit);\n \t\t\t\tthis.SetMessageProperties();\n \t\t\t\tdisposeGuard.Success();\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual void PrepareNDRForFailureToGenerateProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual PipelineDispatcher.WIThrottleData GetThrottlingData()\n \t\t{\n \t\t\treturn new PipelineDispatcher.WIThrottleData\n \t\t\t{\n \t\t\t\tKey = this.GetMailboxServerId(),\n \t\t\t\tRecipientId = this.GetRecipientIdForThrottling(),\n \t\t\t\tWorkItemType = PipelineDispatcher.ThrottledWorkItemType.NonCDRWorkItem\n \t\t\t};\n \t\t}\n \n \t\tpublic virtual void PostCompletion()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"PipelineContext - Deleting header file '{0}'\", new object[]\n \t\t\t{\n \t\t\t\tthis.headerFileName\n \t\t\t});\n \t\t\tUtil.TryDeleteFile(this.headerFileName);\n \t\t}\n \n \t\tinternal static PipelineContext FromHeaderFile(string headerFile)\n \t\t{\n \t\t\tPipelineContext pipelineContext = null;\n \t\t\tPipelineContext result;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tContactInfo contactInfo = null;\n \t\t\t\tstring text = null;\n \t\t\t\tint num = 0;\n \t\t\t\tExDateTime exDateTime = default(ExDateTime);\n \t\t\t\tstring text2 = null;\n \t\t\t\tSubmissionHelper submissionHelper = new SubmissionHelper();\n \t\t\t\tuint num2;\n \t\t\t\tusing (StreamReader streamReader = File.OpenText(headerFile))\n \t\t\t\t{\n \t\t\t\t\tstring text3;\n \t\t\t\t\twhile ((text3 = streamReader.ReadLine()) != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstring[] array = text3.Split(\" : \".ToCharArray(), 2, StringSplitOptions.RemoveEmptyEntries);\n \t\t\t\t\t\tif (array != null && array.Length == 2)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tstring text4 = array[0];\n \t\t\t\t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text4);\n \t\t\t\t\t\t\tif (num2 <= 872212143U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 134404218U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 77294025U)\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (num2 != 111122938U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (num2 == 134404218U)\n +\t\t\t\t\t\t\t\t\t\t\tif (num2 != 134404218U)\n \t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"ProcessedCount\")\n -\t\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n -\t\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ProcessedCount\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\t\telse if (text4 == \"RecipientObjectGuid\")\n +\t\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientObjectGuid\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientObjectGuid = new Guid(array[1]);\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerNAme\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerNAme\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerName = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 <= 507978139U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 152414519U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 507978139U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 507978139U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"RecipientName\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientName\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"ContactInfo\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tcontactInfo = (CommonUtil.Base64Deserialize(array[1]) as ContactInfo);\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tException ex = null;\n +\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n +\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tfinally\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n +\t\t\t\t\t\t\t\t\t\t\t\t\tex\n +\t\t\t\t\t\t\t\t\t\t\t\t});\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 707084238U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 872212143U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 872212143U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallerId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SentTime\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SentTime\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tDateTime dateTime = Convert.ToDateTime(array[1], CultureInfo.InvariantCulture);\n \t\t\t\t\t\t\t\t\texDateTime = new ExDateTime(ExTimeZone.CurrentTimeZone, dateTime);\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 2593661420U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 1526417836U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 978885386U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 1526417836U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 1526417836U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"MessageType\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\ttext = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"MessageType\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\ttext = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerAddress\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerAddress\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerAddress = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 1850847732U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 2593661420U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 2593661420U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"CallerIdDisplayName\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerIdDisplayName\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tsubmissionHelper.CallerIdDisplayName = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 3342616108U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 != 2975106116U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 3342616108U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 3342616108U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"TenantGuid\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"TenantGuid\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SenderAddress\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SenderAddress\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tstring text5 = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 != 3581765001U)\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\tif (num2 == 4186841001U)\n +\t\t\t\t\t\t\t\tif (num2 != 4186841001U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (text4 == \"CultureInfo\")\n -\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tif (!(text4 == \"CultureInfo\"))\n +\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n +\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\telse if (text4 == \"MessageID\")\n +\t\t\t\t\t\t\telse if (!(text4 == \"MessageID\"))\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\ttext2 = array[1];\n -\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\ttext2 = array[1];\n +\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\tIL_409:\n \t\t\t\t\t\t\tsubmissionHelper.CustomHeaders[array[0]] = array[1];\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text);\n \t\t\t\tif (num2 <= 894870128U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 <= 360985808U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 356120169U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 360985808U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"Fax\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new FaxPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"IncomingCallLog\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new IncomingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (num2 != 438908515U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 466919760U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 894870128U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"CDR\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = CDRPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"CDRData\"]);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"MissedCall\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"OCSNotification\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = OCSPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"OCSNotificationData\"]);\n \t\t\t\t\t\ttext2 = pipelineContext.messageID;\n \t\t\t\t\t\texDateTime = pipelineContext.sentTime;\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 <= 1086454342U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 995233564U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 1086454342U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"XSOVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tpipelineContext = new XSOVoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"PartnerTranscriptionRequest\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new PartnerTranscriptionRequestPipelineContext(submissionHelper);\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 != 1356218075U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 2525024257U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 3974407582U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"SMTPVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num < PipelineWorkItem.ProcessedCountMax - 1)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new VoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"HealthCheck\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new HealthCheckPipelineContext(Path.GetFileNameWithoutExtension(headerFile));\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (text == \"OutgoingCallLog\")\n \t\t\t\t{\n \t\t\t\t\tpipelineContext = new OutgoingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\tgoto IL_694;\n \t\t\t\t}\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(string.Format(CultureInfo.InvariantCulture, \"{0}: {1}\", \"MessageType\", text));\n -\t\t\t\tIL_62E:\n +\t\t\t\tIL_694:\n \t\t\t\tif (text2 == null)\n \t\t\t\t{\n \t\t\t\t\ttext2 = Guid.NewGuid().ToString();\n \t\t\t\t\texDateTime = ExDateTime.Now;\n \t\t\t\t}\n \t\t\t\tpipelineContext.HeaderFileName = headerFile;\n \t\t\t\tpipelineContext.processedCount = num;\n \t\t\t\tif (contactInfo != null)\n \t\t\t\t{\n \t\t\t\t\tIUMResolveCaller iumresolveCaller = pipelineContext as IUMResolveCaller;\n \t\t\t\t\tif (iumresolveCaller != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tiumresolveCaller.ContactInfo = contactInfo;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tpipelineContext.sentTime = exDateTime;\n \t\t\t\tpipelineContext.messageID = text2;\n \t\t\t\tpipelineContext.WriteHeaderFile(headerFile);\n \t\t\t\tresult = pipelineContext;\n \t\t\t}\n -\t\t\tcatch (IOException ex)\n +\t\t\tcatch (IOException ex2)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to parse the header file {0} because its not closed by thread creating the file. Error={1}\", new object[]\n \t\t\t\t{\n \t\t\t\t\theaderFile,\n -\t\t\t\t\tex\n +\t\t\t\t\tex2\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tresult = null;\n \t\t\t}\n -\t\t\tcatch (InvalidObjectGuidException ex2)\n +\t\t\tcatch (InvalidObjectGuidException ex3)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn't find the recipient for this message. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex2\n +\t\t\t\t\tex3\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n -\t\t\tcatch (InvalidTenantGuidException ex3)\n +\t\t\tcatch (InvalidTenantGuidException ex4)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn't find the tenant for this message. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex3\n +\t\t\t\t\tex4\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n -\t\t\tcatch (NonUniqueRecipientException ex4)\n +\t\t\tcatch (NonUniqueRecipientException ex5)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Multiple objects found for the recipient. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex4\n +\t\t\t\t\tex5\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n \t\t\treturn result;\n \t\t}\n \n \t\tinternal abstract void WriteCustomHeaderFields(StreamWriter headerStream);\n \n \t\tpublic abstract string GetMailboxServerId();\n \n \t\tpublic abstract string GetRecipientIdForThrottling();\n \n \t\tinternal virtual void SaveMessage()\n \t\t{\n \t\t\tthis.WriteHeaderFile(this.HeaderFileName);\n \t\t}\n \n \t\tprotected override void InternalDispose(bool disposing)\n \t\t{\n \t\t\tif (disposing)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext.Dispose() called\", Array.Empty<object>());\n \t\t\t}\n \t\t}\n \n \t\tprotected override DisposeTracker InternalGetDisposeTracker()\n \t\t{\n \t\t\treturn DisposeTracker.Get<PipelineContext>(this);\n \t\t}\n \n \t\tprotected virtual void SetMessageProperties()\n \t\t{\n \t\t\tIUMResolveCaller iumresolveCaller = this as IUMResolveCaller;\n \t\t\tif (iumresolveCaller != null)\n \t\t\t{\n \t\t\t\tExAssert.RetailAssert(iumresolveCaller.ContactInfo != null, \"ResolveCallerStage should always set the ContactInfo.\");\n \t\t\t\tUMSubscriber umsubscriber = ((IUMCAMessage)this).CAMessageRecipient as UMSubscriber;\n \t\t\t\tUMDialPlan dialPlan = (umsubscriber != null) ? umsubscriber.DialPlan : null;\n \t\t\t\tMicrosoft.Exchange.UM.UMCommon.PhoneNumber pstnCallbackTelephoneNumber = this.CallerId.GetPstnCallbackTelephoneNumber(iumresolveCaller.ContactInfo, dialPlan);\n \t\t\t\tthis.messageToSubmit.From = iumresolveCaller.ContactInfo.CreateParticipant(pstnCallbackTelephoneNumber, this.CultureInfo);\n \t\t\t\tXsoUtil.SetVoiceMessageSenderProperties(this.messageToSubmit, iumresolveCaller.ContactInfo, dialPlan, this.CallerId);\n \t\t\t\tthis.messageToSubmit.InternetMessageId = BoomerangHelper.FormatInternetMessageId(this.MessageID, Utils.GetHostFqdn());\n \t\t\t\tthis.messageToSubmit[ItemSchema.SentTime] = this.SentTime;\n \t\t\t}\n \t\t\tthis.messageToSubmit.AutoResponseSuppress = AutoResponseSuppress.All;\n \t\t\tthis.messageToSubmit[MessageItemSchema.CallId] = this.helper.CallId;\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tthis.MessageToSubmit.Recipients.Add(new Participant(iumcamessage.CAMessageRecipient.ADRecipient));\n \t\t\t\tIADSystemConfigurationLookup iadsystemConfigurationLookup = ADSystemConfigurationLookupFactory.CreateFromOrganizationId(iumcamessage.CAMessageRecipient.ADRecipient.OrganizationId);\n \t\t\t\tthis.MessageToSubmit.Sender = new Participant(iadsystemConfigurationLookup.GetMicrosoftExchangeRecipient());\n \t\t\t}\n \t\t}\n \n \t\tprotected void WriteHeaderFile(string headerFileName)\n \t\t{\n \t\t\tusing (FileStream fileStream = File.Open(headerFileName, FileMode.Create, FileAccess.Write, FileShare.None))\n \t\t\t{\n \t\t\t\tusing (StreamWriter streamWriter = new StreamWriter(fileStream))\n \t\t\t\t{\n \t\t\t\t\tif (this.MessageType != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"MessageType : \" + this.MessageType);\n \t\t\t\t\t}\n \t\t\t\t\tstreamWriter.WriteLine(\"ProcessedCount : \" + this.processedCount.ToString(CultureInfo.InvariantCulture));\n \t\t\t\t\tif (this.messageID != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"MessageID : \" + this.messageID);\n \t\t\t\t\t}\n \t\t\t\t\tif (this.sentTime.Year != 1)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"SentTime : \" + this.sentTime.ToString(CultureInfo.InvariantCulture));\n \t\t\t\t\t}\n \t\t\t\t\tthis.WriteCommonHeaderFields(streamWriter);\n \t\t\t\t\tthis.WriteCustomHeaderFields(streamWriter);\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tprotected virtual void WriteCommonHeaderFields(StreamWriter headerStream)\n \t\t{\n \t\t\tif (!this.CallerId.IsEmpty)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerId : \" + this.CallerId.ToDial);\n \t\t\t}\n \t\t\tif (this.helper.RecipientName != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"RecipientName : \" + this.helper.RecipientName);\n \t\t\t}\n \t\t\tif (this.helper.RecipientObjectGuid != Guid.Empty)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"RecipientObjectGuid : \" + this.helper.RecipientObjectGuid.ToString());\n \t\t\t}\n \t\t\tif (this.helper.CallerName != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerNAme : \" + this.helper.CallerName);\n \t\t\t}\n \t\t\tif (!string.IsNullOrEmpty(this.helper.CallerIdDisplayName))\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerIdDisplayName : \" + this.helper.CallerIdDisplayName);\n \t\t\t}\n \t\t\tif (this.CallerAddress != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerAddress : \" + this.CallerAddress);\n \t\t\t}\n \t\t\tif (this.helper.CultureInfo != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CultureInfo : \" + this.helper.CultureInfo);\n \t\t\t}\n \t\t\tif (this.helper.CallId != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallId : \" + this.helper.CallId);\n \t\t\t}\n \t\t\tIUMResolveCaller iumresolveCaller = this as IUMResolveCaller;\n \t\t\tif (iumresolveCaller != null && iumresolveCaller.ContactInfo != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"ContactInfo : \" + CommonUtil.Base64Serialize(iumresolveCaller.ContactInfo));\n \t\t\t}\n \t\t\theaderStream.WriteLine(\"TenantGuid : \" + this.helper.TenantGuid.ToString());\n \t\t}\n \n \t\tprotected UMRecipient CreateRecipientFromObjectGuid(Guid objectGuid, Guid tenantGuid)\n \t\t{\n \t\t\treturn UMRecipient.Factory.FromADRecipient<UMRecipient>(this.CreateADRecipientFromObjectGuid(objectGuid, tenantGuid));\n \t\t}\n \n \t\tprotected ADRecipient CreateADRecipientFromObjectGuid(Guid objectGuid, Guid tenantGuid)\n \t\t{\n \t\t\tif (objectGuid == Guid.Empty)\n \t\t\t{\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(\"ObjectGuid is empty\");\n \t\t\t}\n \t\t\tADRecipient adrecipient = ADRecipientLookupFactory.CreateFromTenantGuid(tenantGuid).LookupByObjectId(new ADObjectId(objectGuid));\n \t\t\tif (adrecipient == null)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Could not find recipient {0}\", new object[]\n \t\t\t\t{\n \t\t\t\t\tobjectGuid.ToString()\n \t\t\t\t});\n \t\t\t\tthrow new InvalidObjectGuidException(objectGuid.ToString());\n \t\t\t}\n \t\t\treturn adrecipient;\n \t\t}\n \n \t\tprotected UMDialPlan InitializeCallerIdAndTryGetDialPlan(UMRecipient recipient)\n \t\t{\n \t\t\tUMDialPlan umdialPlan = null;\n \t\t\tif (this.CallerId.UriType == UMUriType.E164 && recipient.ADRecipient.UMRecipientDialPlanId != null)\n \t\t\t{\n \t\t\t\tumdialPlan = ADSystemConfigurationLookupFactory.CreateFromADRecipient(recipient.ADRecipient).GetDialPlanFromId(recipient.ADRecipient.UMRecipientDialPlanId);\n \t\t\t\tif (umdialPlan != null && umdialPlan.CountryOrRegionCode != null)\n \t\t\t\t{\n \t\t\t\t\tthis.helper.CallerId = this.helper.CallerId.Clone(umdialPlan);\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn umdialPlan;\n \t\t}\n \n \t\tprotected string GetMailboxServerIdHelper()\n \t\t{\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tUMMailboxRecipient ummailboxRecipient = iumcamessage.CAMessageRecipient as UMMailboxRecipient;\n \t\t\t\tif (ummailboxRecipient != null)\n \t\t\t\t{\n \t\t\t\t\treturn ummailboxRecipient.ADUser.ServerLegacyDN;\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn \"af360a7e-e6d4-494a-ac69-6ae14896d16b\";\n \t\t}\n \n \t\tprotected string GetRecipientIdHelper()\n \t\t{\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tUMMailboxRecipient ummailboxRecipient = iumcamessage.CAMessageRecipient as UMMailboxRecipient;\n \t\t\t\tif (ummailboxRecipient != null)\n \t\t\t\t{\n \t\t\t\t\treturn ummailboxRecipient.ADUser.DistinguishedName;\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn \"455e5330-ce1f-48d1-b6b1-2e318d2ff2c4\";\n \t\t}\n \n \t\tprivate MessageItem messageToSubmit;\n \n \t\tprivate SubmissionHelper helper;\n \n \t\tprivate string messageType;\n \n \t\tprivate CultureInfo cultureInfo;\n \n \t\tprivate string headerFileName;\n \n \t\tprivate int processedCount;\n \n \t\tprivate string messageID;\n \n \t\tprivate ExDateTime sentTime;\n +\n +\t\tprivate static Type[] contactInfoDeserializationAllowList = new Type[]\n +\t\t{\n +\t\t\ttypeof(Version),\n +\t\t\ttypeof(Guid),\n +\t\t\ttypeof(PropTag),\n +\t\t\ttypeof(ContactInfo),\n +\t\t\ttypeof(ADContactInfo),\n +\t\t\ttypeof(FoundByType),\n +\t\t\ttypeof(ADUser),\n +\t\t\ttypeof(ADPropertyBag),\n +\t\t\ttypeof(ValidationError),\n +\t\t\ttypeof(ADPropertyDefinition),\n +\t\t\ttypeof(ADObjectId),\n +\t\t\ttypeof(ExchangeObjectVersion),\n +\t\t\ttypeof(ExchangeBuild),\n +\t\t\ttypeof(MultiValuedProperty<string>),\n +\t\t\ttypeof(LocalizedString),\n +\t\t\ttypeof(ProxyAddressCollection),\n +\t\t\ttypeof(SmtpAddress),\n +\t\t\ttypeof(RecipientDisplayType),\n +\t\t\ttypeof(RecipientTypeDetails),\n +\t\t\ttypeof(ElcMailboxFlags),\n +\t\t\ttypeof(UserAccountControlFlags),\n +\t\t\ttypeof(ObjectState),\n +\t\t\ttypeof(DirectoryBackendType),\n +\t\t\ttypeof(MServPropertyDefinition),\n +\t\t\ttypeof(MbxPropertyDefinition),\n +\t\t\ttypeof(MbxPropertyDefinitionFlags),\n +\t\t\ttypeof(OrganizationId),\n +\t\t\ttypeof(PartitionId),\n +\t\t\ttypeof(SmtpProxyAddress),\n +\t\t\ttypeof(SmtpProxyAddressPrefix),\n +\t\t\ttypeof(ByteQuantifiedSize),\n +\t\t\ttypeof(Unlimited<ByteQuantifiedSize>),\n +\t\t\ttypeof(List<ValidationError>),\n +\t\t\ttypeof(ADMultiValuedProperty<TextMessagingStateBase>),\n +\t\t\ttypeof(ADMultiValuedProperty<ADObjectId>),\n +\t\t\ttypeof(StoreObjectId),\n +\t\t\ttypeof(StoreObjectType),\n +\t\t\ttypeof(EntryIdProvider),\n +\t\t\ttypeof(SimpleContactInfoBase),\n +\t\t\ttypeof(MultipleResolvedContactInfo),\n +\t\t\ttypeof(CallerNameDisplayContactInfo),\n +\t\t\ttypeof(PersonalContactInfo),\n +\t\t\ttypeof(DefaultContactInfo),\n +\t\t\ttypeof(UMDialPlan),\n +\t\t\ttypeof(UMEnabledFlags),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+QuantifierProvider, Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"System.UnitySerializationHolder, mscorlib\"),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier,Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.PropertyBag+ValuePair, Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\"),\n +\t\t\ttypeof(DialByNamePrimaryEnum),\n +\t\t\ttypeof(DialByNameSecondaryEnum),\n +\t\t\ttypeof(AudioCodecEnum),\n +\t\t\ttypeof(UMUriType),\n +\t\t\ttypeof(UMSubscriberType),\n +\t\t\ttypeof(UMGlobalCallRoutingScheme),\n +\t\t\ttypeof(UMVoIPSecurityType),\n +\t\t\ttypeof(SystemFlagsEnum),\n +\t\t\ttypeof(EumProxyAddress),\n +\t\t\ttypeof(EumProxyAddressPrefix)\n +\t\t};\n \t}\n }\n \n\nThe patch appears to add and use a typed allowlist for deserialization of a voicemail\u2019s contact info, which is found in a header file alongside the voicemail itself. ~~Other seemingly unprotected deserializations can be seen in the same class.~~ (I think it\u2019s just XML parsing.) My suspicion is that [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) or [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) could be used to write a malicious header file to `C:\\Program Files\\Microsoft\\Exchange Server\\V15\\UnifiedMessaging\\voicemail`, but it\u2019s entirely possible a crafted voicemail could be sent instead. While I haven\u2019t developed a PoC yet, I do have a good idea how to, assuming the patch analysis is correct. Better-resourced attackers should be able to exploit this issue in considerably less time.\n\nThe specifically patched code can be seen below:\n \n \n [snip]\n \t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tException ex = null;\n \t\t\t\t\t\t\t\t\t\ttry\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\ttry\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n \t\t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n \t\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tfinally\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n \t\t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n \t\t\t\t\t\t\t\t\t\t\t\t\tex\n \t\t\t\t\t\t\t\t\t\t\t\t});\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n [snip]\n \n \n \n [snip]\n \t\tprivate static Type[] contactInfoDeserializationAllowList = new Type[]\n \t\t{\n \t\t\ttypeof(Version),\n \t\t\ttypeof(Guid),\n \t\t\ttypeof(PropTag),\n \t\t\ttypeof(ContactInfo),\n \t\t\ttypeof(ADContactInfo),\n \t\t\ttypeof(FoundByType),\n \t\t\ttypeof(ADUser),\n \t\t\ttypeof(ADPropertyBag),\n \t\t\ttypeof(ValidationError),\n \t\t\ttypeof(ADPropertyDefinition),\n \t\t\ttypeof(ADObjectId),\n \t\t\ttypeof(ExchangeObjectVersion),\n \t\t\ttypeof(ExchangeBuild),\n \t\t\ttypeof(MultiValuedProperty<string>),\n \t\t\ttypeof(LocalizedString),\n \t\t\ttypeof(ProxyAddressCollection),\n \t\t\ttypeof(SmtpAddress),\n \t\t\ttypeof(RecipientDisplayType),\n \t\t\ttypeof(RecipientTypeDetails),\n \t\t\ttypeof(ElcMailboxFlags),\n \t\t\ttypeof(UserAccountControlFlags),\n \t\t\ttypeof(ObjectState),\n \t\t\ttypeof(DirectoryBackendType),\n \t\t\ttypeof(MServPropertyDefinition),\n \t\t\ttypeof(MbxPropertyDefinition),\n \t\t\ttypeof(MbxPropertyDefinitionFlags),\n \t\t\ttypeof(OrganizationId),\n \t\t\ttypeof(PartitionId),\n \t\t\ttypeof(SmtpProxyAddress),\n \t\t\ttypeof(SmtpProxyAddressPrefix),\n \t\t\ttypeof(ByteQuantifiedSize),\n \t\t\ttypeof(Unlimited<ByteQuantifiedSize>),\n \t\t\ttypeof(List<ValidationError>),\n \t\t\ttypeof(ADMultiValuedProperty<TextMessagingStateBase>),\n \t\t\ttypeof(ADMultiValuedProperty<ADObjectId>),\n \t\t\ttypeof(StoreObjectId),\n \t\t\ttypeof(StoreObjectType),\n \t\t\ttypeof(EntryIdProvider),\n \t\t\ttypeof(SimpleContactInfoBase),\n \t\t\ttypeof(MultipleResolvedContactInfo),\n \t\t\ttypeof(CallerNameDisplayContactInfo),\n \t\t\ttypeof(PersonalContactInfo),\n \t\t\ttypeof(DefaultContactInfo),\n \t\t\ttypeof(UMDialPlan),\n \t\t\ttypeof(UMEnabledFlags),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+QuantifierProvider, Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"System.UnitySerializationHolder, mscorlib\"),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier,Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.PropertyBag+ValuePair, Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\"),\n \t\t\ttypeof(DialByNamePrimaryEnum),\n \t\t\ttypeof(DialByNameSecondaryEnum),\n \t\t\ttypeof(AudioCodecEnum),\n \t\t\ttypeof(UMUriType),\n \t\t\ttypeof(UMSubscriberType),\n \t\t\ttypeof(UMGlobalCallRoutingScheme),\n \t\t\ttypeof(UMVoIPSecurityType),\n \t\t\ttypeof(SystemFlagsEnum),\n \t\t\ttypeof(EumProxyAddress),\n \t\t\ttypeof(EumProxyAddressPrefix)\n \t\t};\n [snip]\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 3\n", "modified": "2021-03-11T00:00:00", "published": "2021-03-03T00:00:00", "id": "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "href": "https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857", "type": "attackerkb", "title": "CVE-2021-26857", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-24T18:19:42", "bulletinFamily": "info", "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 10, 2021 7:13am UTC reported:\n\nWhen used with [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), an unauthenticated SSRF, [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) yields unauthed, `SYSTEM`-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the [EAC/ECP interface](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019>), which is a privileged and authenticated web interface.\n\nI was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target\u2019s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>), but \u201cOAB\u201d caught my eye due to its published IOCs. ([OAB](<https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/offline-address-books/offline-address-books?view=exchserver-2019>) is Microsoft\u2019s implementation of offline address books in Exchange.)\n\n\n\nWriting an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are [well-documented](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**cdelafuente-r7** at March 24, 2021 3:26pm UTC reported:\n\nWhen used with [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), an unauthenticated SSRF, [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) yields unauthed, `SYSTEM`-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the [EAC/ECP interface](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019>), which is a privileged and authenticated web interface.\n\nI was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target\u2019s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>), but \u201cOAB\u201d caught my eye due to its published IOCs. ([OAB](<https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/offline-address-books/offline-address-books?view=exchserver-2019>) is Microsoft\u2019s implementation of offline address books in Exchange.)\n\n\n\nWriting an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are [well-documented](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.\n", "modified": "2021-03-11T00:00:00", "published": "2021-03-03T00:00:00", "id": "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "href": "https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065", "type": "attackerkb", "title": "CVE-2021-27065", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-03-18T14:50:05", "bulletinFamily": "info", "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "description": "\n\nOn March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) [released details on an active state-sponsored threat campaign](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group \u201cassessed to be state-sponsored and operating out of China.\u201d\n\nRapid7 detection and response teams [have also observed increased threat activity](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>) against Microsoft Exchange Server since Feb. 27, 2021, and can confirm ongoing mass exploitation of vulnerable Exchange instances. Microsoft Exchange customers **should apply the latest updates on an emergency basis** and take immediate steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of [IOCs available here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>).\n\nThe actively exploited zero-day vulnerabilities disclosed in the MSTIC announcement as part of the HAFNIUM-attributed threat campaign are:\n\n * **[CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)**, also known as [Proxylogon](<https://proxylogon.com/>), is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. According to Orange Tsai, the researcher who discovered the vulnerabilities, CVE-2021-26855 allows code execution when chained with CVE-2021-27065 (see below). A successful exploit chain would allow an unauthenticated attacker to "execute arbitrary commands on Microsoft Exchange Server through only an open 443 port." More information and a disclosure timeline are available at <https://proxylogon.com>.\n * **[CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n * **[CVE-2021-26857](<https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857?referrer=blog>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n * **[CVE-2021-26858](<https://attackerkb.com/topics/TFFtD6XA8z/cve-2021-26858?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\nAlso included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:\n\n * **[CVE-2021-26412](<https://attackerkb.com/topics/mgKIUMCadN/cve-2021-27078?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n * **[CVE-2021-26854](<https://attackerkb.com/topics/KxXhEt74SK/cve-2021-26412?referrer=blog>)** (CVSS:3.0 6.6 / 5.8)\n * **[CVE-2021-27078](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n\nMicrosoft has released out-of-band patches for all seven vulnerabilities as of March 2, 2021. Security updates are available for the following specific versions of Exchange:\n\n * Exchange Server 2010 (for Service Pack 3\u2014this is a Defense in Depth update)\n * Exchange Server 2013 (CU 23)\n * Exchange Server 2016 (CU 19, CU 18)\n * Exchange Server 2019 (CU 8, CU 7)\n\nExchange Online is not affected.\n\n## For Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks. Customers will need to perform a console restart after consuming the content update in order to scan for these vulnerabilities.\n\nInsightIDR will generate an alert if suspicious activity is detected in your environment. The Insight Agent must be installed on Exchange Servers to detect the attacker behaviors observed as part of this attack. If you have not already done so, [install the Insight Agent](<https://docs.rapid7.com/insight-agent/install/>) on your Exchange Servers.\n\nFor individual vulnerability analysis, [see AttackerKB](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=blog#rapid7-analysis>).\n\n## Updates\n\n**Update March 18, 2021:** Microsoft has released a "One-Click Exchange On-premises Mitigation Tool" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended "to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update." They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 15, 2021:** There are now multiple reports of [ransomware](<https://twitter.com/phillip_misner/status/1370197696280027136>) being used after initial compromise of unpatched Exchange servers. Microsoft [has confirmed](<https://twitter.com/MsftSecIntel/status/1370236539427459076>) that it is detecting and blocking a new ransomware strain it calls DearCry. On-premises Exchange customers should continue to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 7, 2021:** Widespread [exploitation and compromise](<https://twitter.com/GossiTheDog/status/1366894548593573893>) of Exchange servers is ongoing. CISA, the U.S. Cybersecurity and Infrastructure Agency, [said on March 6, 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that they are "aware of widespread domestic and international exploitation of these vulnerabilities." Microsoft has [published a script](<https://github.com/microsoft/CSS-Exchange/blob/cb550e399bc2785e958472e533147826e2b6bf24/Security/Test-ProxyLogon.ps1>) to help identify some vulnerable versions of Exchange. Because there is [some potential for false negatives](<https://github.com/microsoft/CSS-Exchange/issues/107>), we recommend using this script as a supporting tool rather than as a primary way of confirming vulnerability. Defenders should check the version of Exchange they're running and compare against the known vulnerable versions Microsoft has identified. (Those running older, unsupported versions of Exchange should consider updating as a best practice.)\n\nOn-premises Exchange administrators should continue to treat this widespread threat as an incident response scenario and examine their environments for signs of compromise. Rapid7 has [a list of IOCs here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>), which we will continue to update as new information becomes available. Microsoft has also released [an updated script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that scans Exchange log files for IOCs associated with the vulnerabilities disclosed on March 2, 2021.", "modified": "2021-03-03T19:23:42", "published": "2021-03-03T19:23:42", "id": "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "href": "https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/", "type": "rapid7blog", "title": "Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T12:49:58", "bulletinFamily": "info", "cvelist": ["CVE-2020-27844", "CVE-2021-1640", "CVE-2021-1729", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21300", "CVE-2021-24089", "CVE-2021-24090", "CVE-2021-24095", "CVE-2021-24104", "CVE-2021-24107", "CVE-2021-24108", "CVE-2021-24110", "CVE-2021-26411", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26859", "CVE-2021-26860", "CVE-2021-26861", "CVE-2021-26862", "CVE-2021-26863", "CVE-2021-26864", "CVE-2021-26865", "CVE-2021-26866", "CVE-2021-26867", "CVE-2021-26868", "CVE-2021-26869", "CVE-2021-26870", "CVE-2021-26871", "CVE-2021-26872", "CVE-2021-26873", "CVE-2021-26874", "CVE-2021-26875", "CVE-2021-26876", "CVE-2021-26877", "CVE-2021-26878", "CVE-2021-26879", "CVE-2021-26880", "CVE-2021-26881", "CVE-2021-26882", "CVE-2021-26884", "CVE-2021-26885", "CVE-2021-26886", "CVE-2021-26887", "CVE-2021-26889", "CVE-2021-26890", "CVE-2021-26891", "CVE-2021-26892", "CVE-2021-26893", "CVE-2021-26894", "CVE-2021-26895", "CVE-2021-26896", "CVE-2021-26897", "CVE-2021-26898", "CVE-2021-26899", "CVE-2021-26900", "CVE-2021-26901", "CVE-2021-26902", "CVE-2021-27047", "CVE-2021-27048", "CVE-2021-27049", "CVE-2021-27050", "CVE-2021-27051", "CVE-2021-27052", "CVE-2021-27053", "CVE-2021-27054", "CVE-2021-27055", "CVE-2021-27056", "CVE-2021-27057", "CVE-2021-27058", "CVE-2021-27059", "CVE-2021-27060", "CVE-2021-27061", "CVE-2021-27062", "CVE-2021-27063", "CVE-2021-27065", "CVE-2021-27066", "CVE-2021-27070", "CVE-2021-27074", "CVE-2021-27075", "CVE-2021-27076", "CVE-2021-27077", "CVE-2021-27078", "CVE-2021-27080", "CVE-2021-27081", "CVE-2021-27082", "CVE-2021-27083", "CVE-2021-27084", "CVE-2021-27085"], "description": "\n\nAnother Patch Tuesday ([2021-Mar](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>)) is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it\u2019s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 59 \nBrowser | 35 \nESU | 24 \nMicrosoft Office | 11 \nExchange Server | 7 \nDeveloper Tools | 6 \nAzure | 3 \nSQL Server | 1 \n \n## [Exchange Server Vulnerabilities](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>)\n\nEarlier this month Microsoft [released out of band updates for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet facing instances. \n\nYesterday, Microsoft issued an [additional set of patches](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) for older, unsupported versions of Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.\n\nIf you administer an Exchange Server,** stop reading this blog and go patch these systems!** For more information [please see our blog post on the topic](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>).\n\n## Patch those Windows systems!\n\nAlmost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:\n\n * Multiple high severity RCE vulnerabilities in Windows DNS Server \n([CVE-2021-26877](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26877>), [CVE-2021-26893](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26893>), [CVE-2021-26894](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26894>), [CVE-2021-26895](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26895>), and [CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>))\n * Remote Code Execution in Hyper-V ([CVE-2021-26867](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26867>)) enabling virtual machine escape (CVSSv3 9.9)\n\n## Browser Vulnerabilities\n\nSince going end-of-life in November 2020, we haven't seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: [CVE-2021-27085](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27085>) and [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411>). CVE-2021-26411 has been exploited in the wild, so don't delay applying patches if IE is still in your environment.\n\nThe majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27075>) | Azure Virtual Machine Information Disclosure Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-27080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27080>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 9.3 | Yes \n[CVE-2021-27074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27074>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 6.2 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27085>) | Internet Explorer Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-21190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21190>) | Chromium CVE-2021-21190 : Uninitialized Use in PDFium | No | No | N/A | Yes \n[CVE-2021-21189](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21189>) | Chromium CVE-2021-21189: Insufficient policy enforcement in payments | No | No | N/A | Yes \n[CVE-2021-21188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21188>) | Chromium CVE-2021-21188: Use after free in Blink | No | No | N/A | Yes \n[CVE-2021-21187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21187>) | Chromium CVE-2021-21187: Insufficient data validation in URL formatting | No | No | N/A | Yes \n[CVE-2021-21186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21186>) | Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning | No | No | N/A | Yes \n[CVE-2021-21185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21185>) | Chromium CVE-2021-21185: Insufficient policy enforcement in extensions | No | No | N/A | Yes \n[CVE-2021-21184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21184>) | Chromium CVE-2021-21184: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21183>) | Chromium CVE-2021-21183: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21182>) | Chromium CVE-2021-21182: Insufficient policy enforcement in navigations | No | No | N/A | Yes \n[CVE-2021-21181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21181>) | Chromium CVE-2021-21181: Side-channel information leakage in autofill | No | No | N/A | Yes \n[CVE-2021-21180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21180>) | Chromium CVE-2021-21180: Use after free in tab search | No | No | N/A | Yes \n[CVE-2021-21179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21179>) | Chromium CVE-2021-21179: Use after free in Network Internals | No | No | N/A | Yes \n[CVE-2021-21178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21178>) | Chromium CVE-2021-21178 : Inappropriate implementation in Compositing | No | No | N/A | Yes \n[CVE-2021-21177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21177>) | Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill | No | No | N/A | Yes \n[CVE-2021-21176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21176>) | Chromium CVE-2021-21176: Inappropriate implementation in full screen mode | No | No | N/A | Yes \n[CVE-2021-21175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21175>) | Chromium CVE-2021-21175: Inappropriate implementation in Site isolation | No | No | N/A | Yes \n[CVE-2021-21174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21174>) | Chromium CVE-2021-21174: Inappropriate implementation in Referrer | No | No | N/A | Yes \n[CVE-2021-21173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21173>) | Chromium CVE-2021-21173: Side-channel information leakage in Network Internals | No | No | N/A | Yes \n[CVE-2021-21172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21172>) | Chromium CVE-2021-21172: Insufficient policy enforcement in File System API | No | No | N/A | Yes \n[CVE-2021-21171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21171>) | Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation | No | No | N/A | Yes \n[CVE-2021-21170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21170>) | Chromium CVE-2021-21170: Incorrect security UI in Loader | No | No | N/A | Yes \n[CVE-2021-21169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21169>) | Chromium CVE-2021-21169: Out of bounds memory access in V8 | No | No | N/A | Yes \n[CVE-2021-21168](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21168>) | Chromium CVE-2021-21168: Insufficient policy enforcement in appcache | No | No | N/A | Yes \n[CVE-2021-21167](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21167>) | Chromium CVE-2021-21167: Use after free in bookmarks | No | No | N/A | Yes \n[CVE-2021-21166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21166>) | Chromium CVE-2021-21166: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21165>) | Chromium CVE-2021-21165: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21164>) | Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS | No | No | N/A | Yes \n[CVE-2021-21163](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21163>) | Chromium CVE-2021-21163: Insufficient data validation in Reader Mode | No | No | N/A | Yes \n[CVE-2021-21162](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21162>) | Chromium CVE-2021-21162: Use after free in WebRTC | No | No | N/A | Yes \n[CVE-2021-21161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21161>) | Chromium CVE-2021-21161: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2021-21160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21160>) | Chromium CVE-2021-21160: Heap buffer overflow in WebAudio | No | No | N/A | Yes \n[CVE-2021-21159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21159>) | Chromium CVE-2021-21159: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2020-27844](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-27844>) | Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG | No | No | N/A | Yes \n \n## Browser ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>) | Internet Explorer Memory Corruption Vulnerability | Yes | Yes | 8.8 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27060>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27084>) | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | No | No | N/A | No \n[CVE-2021-27081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27081>) | Visual Studio Code ESLint Extension Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27083>) | Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27082>) | Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-21300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21300>) | Git for Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | No \n \n## Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26412>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 9.1 | Yes \n[CVE-2021-27078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27078>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-27065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26854](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 6.6 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27055>) | Microsoft Visio Security Feature Bypass Vulnerability | No | No | 7 | Yes \n[CVE-2021-24104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24104>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-27052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27052>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-27056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27056>) | Microsoft PowerPoint Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24108>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27057>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27059](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27059>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n[CVE-2021-27058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27058>) | Microsoft Office ClickToRun Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27053>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27054>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859>) | Microsoft Power BI Information Disclosure Vulnerability | No | No | 7.7 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26900>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26863>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26871>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26885>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26864>) | Windows Virtual Registry Provider Elevation of Privilege Vulnerability | No | No | 8.4 | No \n[CVE-2021-1729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1729>) | Windows Update Stack Setup Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26889>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26866>) | Windows Update Service Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26870>) | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26874>) | Windows Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26879>) | Windows NAT Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-26884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26884>) | Windows Media Photo Codec Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-26868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26868>) | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26892>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 6.2 | No \n[CVE-2021-24090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24090>) | Windows Error Reporting Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26865>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 8.8 | No \n[CVE-2021-26891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26891>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26860>) | Windows App-V Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-27066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27066>) | Windows Admin Center Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-27070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27070>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-26886](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26886>) | User Profile Service Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2021-26880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26880>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26876>) | OpenType Font Parsing Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24089>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26902>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27061>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24110>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27047>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27048](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27048>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27049>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27050>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27051>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27062>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24095>) | DirectX Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26890>) | Application Virtualization Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>) | Windows Win32k Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-26875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26875>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26873>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26899>) | Windows UPnP Device Host Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1640>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26878>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26862>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 6.3 | No \n[CVE-2021-26861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26861>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24107>) | Windows Event Tracing Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26898>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26901>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26897>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26877>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26893>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26894>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26895>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26896>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-27063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27063>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26869>) | Windows ActiveX Installer Service Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26882>) | Remote Access API Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26881>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-26887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26887>) | Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Summary Graphs\n\n", "modified": "2021-03-09T22:13:03", "published": "2021-03-09T22:13:03", "id": "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "href": "https://blog.rapid7.com/2021/03/09/patch-tuesday-march-2021/", "type": "rapid7blog", "title": "Patch Tuesday - March 2021", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-25T14:10:02", "description": "The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854,\n CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065,\n CVE-2021-27078)", "edition": 7, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-03-03T00:00:00", "title": "Security Updates for Microsoft Exchange Server (March 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-26412", "CVE-2021-26857", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "href": "https://www.tenable.com/plugins/nessus/147003", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147003);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/24\");\n\n script_cve_id(\n \"CVE-2021-26412\",\n \"CVE-2021-26854\",\n \"CVE-2021-26855\",\n \"CVE-2021-26857\",\n \"CVE-2021-26858\",\n \"CVE-2021-27065\",\n \"CVE-2021-27078\"\n );\n script_xref(name:\"MSKB\", value:\"5000871\");\n script_xref(name:\"MSFT\", value:\"MS21-5000871\");\n script_xref(name:\"IAVA\", value:\"2021-A-0111\");\n\n script_name(english:\"Security Updates for Microsoft Exchange Server (March 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854,\n CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065,\n CVE-2021-27078)\");\n # https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?14b26c05\");\n # https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fedb98e4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5000871\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26855\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyLogon RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-12';\nkbs = make_list(\n '5000871' # 2013 CU 23 / 2016 CU18-19 / 2019 CU 7-8\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\ninstall = get_single_install(app_name:'Microsoft Exchange');\n\npath = install['path'];\nversion = install['version'];\nrelease = install['RELEASE'];\nport = kb_smb_transport();\n\nif (\n release != 150 && # 2013\n release != 151 && # 2016\n release != 152 # 2019\n) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);\n\nif (!empty_or_null(install['CU']))\n cu = install['CU'];\nif (!empty_or_null(install['SP']))\n sp = install['SP'];\n\nif (release == 150) # Exchange Server 2013\n{\n if (cu == 23)\n {\n fixedver = '15.0.1497.12';\n }\n else if (cu < 23)\n {\n unsupported_cu = TRUE;\n }\n\n kb = '5000871';\n}\nelse if (release == 151) # Exchange Server 2016\n{\n if (cu == 14)\n {\n fixedver = '15.1.1847.12';\n }\n else if (cu == 15)\n {\n fixedver = '15.1.1913.12';\n }\n else if (cu == 16)\n {\n fixedver = '15.1.1979.8';\n }\n else if (cu == 18)\n {\n fixedver = '15.1.2106.13';\n }\n else if (cu == 19)\n {\n fixedver = '15.1.2176.9';\n }\n else if (cu < 19)\n {\n unsupported_cu = TRUE;\n }\n\n kb = '5000871';\n}\nelse if (release == 152) # Exchange Server 2019\n{\n if (cu == 4)\n {\n fixedver = '15.2.529.13';\n }\n else if (cu == 5)\n {\n fixedver = '15.2.595.8';\n }\n else if (cu == 6)\n {\n fixedver = '15.2.659.12';\n }\n else if (cu == 7)\n {\n fixedver = '15.2.721.13';\n }\n else if (cu == 8)\n {\n fixedver = '15.2.792.10';\n }\n else if (cu < 8)\n {\n unsupported_cu = TRUE;\n }\n\n kb = '5000871';\n}\n\nif ((fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:\"Bin\"), file:'ExSetup.exe', version:fixedver, bulletin:bulletin, kb:kb))\n || (unsupported_cu && report_paranoia == 2))\n{\n if (unsupported_cu)\n hotfix_add_report('The Microsoft Exchange Server installed at ' + path +\n ' has an unsupported Cumulative Update (CU) installed and may be ' +\n 'vulnerable to the CVEs contained within the advisory. Unsupported ' +\n 'Exchange CU versions are not typically included in Microsoft ' +\n 'advisories and are not indicated as affected.\\n',\n bulletin:bulletin, kb:kb);;\n\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-03-11T20:27:44", "bulletinFamily": "blog", "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "description": "**Update March 10, 2021**: A new section describes how to respond with mitigation controls if patches cannot be applied, as recommended by Microsoft. This section details the Qualys Policy Compliance control ids for each vulnerability.\n\n**Update March 8, 2021**: Qualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. QID 50108 is available in VULNSIGS-2.5.125-3 version and above, and is available across all platforms as of March 8th, 1:38 AM ET. This QID is not applicable to agents, so the signature version for the agent will not be updated. QID: 50107, released in VULNSIGS-2.5.121-4 and Windows Cloud Agent manifest 2.5.121.4-3 and above, will accurately detect this vulnerability via agents.\n\n**Original Post**: On March 2nd, [Microsoft released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) a set of out-of-band security updates to address critical remote code execution vulnerabilities in Microsoft Exchange Server. According to Microsoft these vulnerabilities are actively being exploited in the wild, and hence it is recommended to patch them immediately.\n\nTo detect vulnerable instances, Qualys released QID 50107 which detects all vulnerable instances of Exchange server. This QID is included in VULNSIGS-2.5.121-4 version and above.\n\nCVEs addressed as part of this QID are: CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\nAmong the above CVEs, [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) are being actively targeted in the wild using zero-day exploits. Microsoft attributes these attacks with high confidence to the HAFNIUM (Chinese cyber spy) threat actor group. These vulnerabilities are related to the following versions of Exchange Server:\n\n * Exchange Server 2013\n * Exchange Server 2016\n * Exchange Server 2019\n\nAt the time of the security update release the vulnerabilities affect only on-premises Microsoft Exchange Server installations. Exchange online is not affected.\n\n### CVE Technical Details\n\n**[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)** is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premises Exchange servers. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.\n\n**[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server. \n\n**[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>)** is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.\n\n**[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)** is a post-authentication arbitrary file write vulnerability in Exchange. Similar to CVE-2021-26858, exploiting this vulnerability could allow an attacker to write a file to any path of the target Exchange server.\n\n### Attack Chain\n\nMicrosoft has provided details regarding how the HAFNIUM (threat actor) group is exploiting the above-mentioned critical CVEs. Following sequence of steps summarizes Microsoft\u2019s findings.\n\n 1. The initial step in the attack chain includes the threat actor group making an untrusted connection to the target Exchange server (on port 443) using CVE-2021-26855.\n 2. After successfully establishing the connection, the threat actor group exploits CVE-2021-26857 that gives them ability to run code as SYSTEM on the target Exchange server. This requires administrator permission or another vulnerability to exploit.\n 3. As part of their post-authentication actions, the threat actor group exploits [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) and proceeds to writing files to any path of the target server.\n\nIt has been observed that after gaining the initial access, the threat actor group deployed web shells on the target compromised server.\n\nFollowing table shows the MITRE ATT&CK Technique and Tactic details.\n\n**Tactic**| **Technique**| **Sub-Technique**| **TID** \n---|---|---|--- \nReconnaissance| Gather Victim Identity Information| Email Addresses| T1589.002 \nReconnaissance| Gather Victim Identity Information| IP Addresses| T1589.005 \nResource Development| Develop Capabilities| Exploits| T1587.004 \nInitial Access| Exploit Public-Facing Application| -| T1190 \nExecution| Command and scripting interpreter| PowerShell| T1059.001 \nPersistence| Create Account| Domain Account| T1136.002 \nPersistence| Server Software Component| Web Shell| T1505.003 \nCredential Access| OS Credential Dumping| LSASS Memory| T1003.001 \nCredential Access| OS Credential Dumping| NTDS| T1003.003 \nLateral Movement| Remote Services| SMB/Windows Admin Shares| T1201.002 \nCollection| Archive Collected Data| Archive via Utility| T1560.001 \nCollection| Email Collection| Remote Email Collection| T1114.002 \nCollection| Email Collection| Local Email Collection| T114.001 \nCommand and Control| Remote Access Software| -| T1219 \nExfiltration| Exfiltration over Web Service| Exfiltration to Cloud Storage| T1567.002 \n \n### Discover and Remediate the Zero-Day Vulnerabilities Using Qualys VMDR\n\n##### Identify Microsoft Exchange Server Assets\n\nThe first step in managing these critical vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) makes it easy to identify Windows Exchange server systems.\n\nQuery: _operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 \u201cExchange Server 0-day\u201d. This helps in automatically grouping existing hosts with the 0-days as well as any new Windows Exchange server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n##### Discover Exchange Server Zero-Day Vulnerabilities\n\nNow that hosts running Microsoft Exchange Server are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always updated KnowledgeBase (KB).\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Exchange Server 0-day\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\nVMDR query: `vulnerabilities.vulnerability.qid:50107`\n\n\n\nQID 50107 is available in signature version VULNSIGS-2.5.121-4 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.121.4-3 and above.\n\nQualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. This QID is not applicable to agents. QID 50108 is available in VULNSIGS-2.5.125-3 version and above.\n\nOrganizations that use on-premises Exchange installations typically also enable Outlook Web Access (OWA), which is exposed to the internet to allow users to connect into their e-mail systems. It is therefore recommended organizations employ both remote and authenticated scanning methods to get the most accurate view of vulnerable assets, as using only the agent-based approach would not provide a comprehensive picture of the vulnerability exposure.\n\nWith VMDR Dashboard, you can track 'Exchange 0-day', impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.\n\n**Dashboard**: [Exchange Server 0-Day Dashboard | Critical Global View](<https://qualys-secure.force.com/customer/s/article/000006564>)\n\n\n\n##### Respond by Patching\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 50107\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Exchange Server 0-day.\n\n\n\nSecurity updates are available for the following specific versions of Exchange:\n\n * [Update for Exchange Server 2019](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires Cumulative Update (CU) 8 or CU 7\n * [Update for Exchange Server 2016](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 19 or CU 18\n * [Update for Exchange Server 2013](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 23\n * [Update for Exchange Server 2010](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459>): Requires SP 3 or any SP 3 RU\n * This is a defense-in-depth update.\n\nUsers are encouraged to apply patches as soon as possible.\n\n##### Respond with Mitigation Controls if Patches Cannot Be Applied\n\nWe recognize not all organizations may be able patch their systems right away. In such scenarios Microsoft has recommended a few [interim mitigation controls](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) to limit the exploitation of these vulnerabilities. [Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) has added controls based on these recommendations for impacted Exchange Servers 2013, 2016, and 2019. The vulnerability details and corresponding Control IDs (CIDs) are provided below.\n\n**CVE-2021-26855**: This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole.\n\n * **CID 20831** - Status of match URL of rewrite rule 'X-BEResource Abort - inbound' for which action is 'AbortRequest at site level\n * **CID 20834** - Status of match URL of rewrite rule 'X-AnonResource-Backend Abort - inbound' for which action is 'AbortRequest at site level\n\n**CVE-2021-26857**: Disabling the UM Service will mitigate this vulnerability.\n\n * **CID 20829** - Status of 'component' installed on the MS Exchange server\n * **CID 20828** - Status of Microsoft Exchange Unified Messaging Call Router service\n * **CID 20827** - Status of Microsoft Exchange Unified Messaging service\n\n**CVE-2021-27065**: Disabling OAB Application Pool will prevent this CVE from executing successfully as the API will no longer respond and return a 503 when calling OAB, which will mitigate the Arbitrary Write exploit that occurs with OAB. After stopping the WebApp Pool you will also need to set the OabProxy Server Component state to Inactive.\n\n * **CID 20832** - Check the 'startMode' of the OAB Application Pool (MSExchangeOABAppPool)\n\n**CVE-2021-26858**: Disabling ECP Virtual Directory will prevent CVE-2021-27065 from executing successfully as the API will no longer respond and return a 503 when calling the Exchange Control Panel (ECP).\n\n * **CID 20833** - Check the 'startMode' of the ECP Application Pool (MSExchangeECPAppPool)\n\nQualys Policy Compliance can be used to easily monitor these mitigating controls for impacted Exchange assets.\n\n\n\nDrill down into failing controls to view details and identify issues.\n\n\n\n### Post-Compromise Detection Details\n\nAfter compromising a system, an adversary can perform the following activity:\n\nUse legitimate utilities such as procdump or the rundll32 comsvcs.dll method to dump the LSASS process memory. Presumably, this follows exploitation via CVE-2021-26857 as these methods do need administrative privileges.\n\n\n\nUse 7-Zip or WinRar to compress files for exfiltration.\n\n\n\nUse PowerShell based remote administration tools such as Nishang & PowerCat to exfiltrate this data.\n\n\n\nTo maintain persistent access on compromised systems, adversaries may also create a domain user account and install ASPX- and PHP-based web shells for command and control. Information about their probable location and their related hashes are mentioned below.\n\n**Web shell hashes**:\n \n \n b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n**Web shell paths**:\n\n`C:\\inetpub\\wwwroot\\aspnet_client\\ \nC:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V14\\FrontEnd\\HttpProxy\\owa\\auth\\ \nC:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\`\n\n### References\n\n * https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901\n * https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "modified": "2021-03-03T22:12:19", "published": "2021-03-03T22:12:19", "id": "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "Microsoft Exchange Server Zero-Days (ProxyLogon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
