Time to Patch: The Clock’s Ticking on Four More Microsoft Exchange Vulnerabilities

It’s been just a few weeks since Microsoft patched four zero-day vulnerabilities in Exchange Server. Attacks exploiting these bugs may have compromised as many as 30,000 endpoints in the U.S. alone.

Well, guess what? System administrators have another four Exchange Server vulnerabilities to address as part of this month’s Patch Tuesday update round — three of which are rated “critical.”

Given the attention cybercriminals are paying to this product and the potential repercussions of an attack, this requires your urgent attention.

Fortunately, Tanium offers a highly effective way to find and patch affected servers and proactively plan for any further disruption.

Why it matters

There are some differences between this most recent vulnerability disclosure and the Exchange Server vulnerabilities that were patched last month.

First, these four had not been previously publicly disclosed. There’s evidence that the so-called “ProxyLogon” bugs fixed in March had been exploited in the wild for two months.

However, there’s plenty to mark out these latest CVEs as a priority for patching. CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 are remote code execution bugs that affect the on-premises version of Microsoft Exchange Server versions 2013 through 2019. CVE-2021-28482 is rated “High” severity while the remaining three are “critical.” They require low or no privileges, and no user interaction, to exploit. Plus, attack complexity is rated “low” for all four.

These should all be red flags. Even non-sophisticated attackers would likely find it relatively easy to exploit these vulnerabilities. But to what end?

As we’ve seen with global attacks earlier in the year, Exchange Server is an attractive target in its own right, storing highly sensitive corporate information.

It also offers a gateway to other IT systems if attackers can steal credentials from these servers. Exchange Server is typically installed with some of the highest privileges in Active Directory.

Why patching is so critical

To further emphasize the importance of patching these vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) has demanded all federal agencies take action by Friday. It said:

CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.

How Tanium can help

As soon as any vendor patch is released, the clock starts ticking. Cybercriminals will start decompiling the fix immediately to work out the associated vulnerabilities and how they can be used in attacks. Within just hours, you could see malware.

That means your organization must be thinking about responding in minutes and hours, not weeks or days. For critical vulnerabilities on key strategic assets like Exchange Server, there is no time to lose.

However, many organizations find it challenging to understand where these endpoint devices are and whether they’re running the affected software versions. It can be complicated for those running larger IT estates.

This is where Tanium’s unique approach can help. We offer the following tools to provide visibility and control where you need it most to locate and take action on these assets.

• Tanium Interact allows you to quickly and easily query whether you have vulnerable endpoints (e.g., Exchange Server) and get answers back in real-time, across thousands or even hundreds of thousands of IT assets.
• Tanium Patch allows you to patch vulnerabilities at speed and scale using normal workflows. It can be deployed to automate patching of critical endpoint assets like Exchange Server to close your window of exposure.
• Tanium Impact maps out where attackers may move next if they compromise a specific endpoint. With Exchange Server, lateral movement is likely given the privileged credentials stored on the endpoint. With this tool, you can take a more proactive cyber risk management approach, allowing you to plan for and disrupt any potential malicious actions.

More on the way

As we highlighted during the last major security alert, this won’t be the last we see of threats to Exchange Server. There’s already another fix on the way after white hat researchers found a new bug during the recent Pwn2Own competition. You can also be sure that cybercriminals will be swarming all over Microsoft Exchange, looking for more flaws to exploit.

That the NSA notified Microsoft of this latest batch of vulnerabilities speaks to the criticality of prompt patching.

Organizations must find an efficient, automated way to do so at speed and scale, starting with gaining visibility into their endpoint estate. Business starts at the edge today. So that’s also where you must focus your cyber risk management strategy.

For more detailed information on how customers can address this vulnerability with Tanium, read the article on the Tanium Community.

---

Learn more about how the Tanium platform can help find and remediate vulnerabilities.