Microsoft’s Patch Tuesday release for April includes fixes for four new zero days in Exchange Server that the National Security Agency discovered and disclosed to the company. Unlike the ProxyLogon vulnerabilities in Exchange disclosed earlier this year, these four bugs have not been exploited in the wild yet.
The new bugs all can result in remote code execution, and two of them can be exploited without authentication. The vulnerabilities affect Exchange 2013, 2016, and 2019, and they’re all considered critical.
“We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats,” the Microsoft Security Response Center said in a post.
The two more worrisome of the four bugs are CVE-2021-28480 and CVE-2021-28481, which both are listed as being likely to be exploited and neither of which requires user interaction or authentication to exploit.
“Both code execution bugs are unauthenticated and require no user interaction. Since the attack vector is listed as “Network,” it is likely these bugs are wormable – at least between Exchange servers. The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year. These bugs were credited to the National Security Agency,” Dustin Childs of the Zero Day Initiative, and a former Microsoft security evangelist, said in a post.
“Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible.”
In addition to the Exchange flaws, Microsoft also released a patch for an elevation of privilege bug in Windows that has been actively exploited by at least one attack group. Researchers at Kaspersky discovered the flaw and exploitation activity and said it is likely being used by the same attack group, Bitter APT, that was using another Windows zero day late last year.
“We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities,” Costin Raiu of Kaspersky wrote in a post on the vulnerability.
The Windows vulnerability (CVE-2021-28310) affects Windows 10 and Windows Server.