Microsoft is urging administrators to apply patches for a remote code execution vulnerability in Exchange Server, which is being exploited in the wild.
The important-severity flaw (CVE-2021-42321) stems from an improper validation of cmdlet arguments, which are commands used in the PowerShell environment. In order to exploit the vulnerability, an attacker must first be authenticated.
“We are aware of limited targeted attacks in the wild using one of the vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019,” said Microsoft in a Tuesday advisory. “Our recommendation is to install these updates immediately to protect your environment.”
The exploited flaw comes as part of Microsoft’s November Patch Tuesday updates, which included fixes for 55 vulnerabilities. Microsoft said that the Exchange vulnerabilities that are part of the security update affect on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode - however, the company said Exchange Online users are already protected and do not need to take any action.
As part of this advisory, an important-severity security feature bypass zero-day (CVE-2021-42292) in Microsoft Excel was also fixed. Microsoft said that “exploitation was detected” for this flaw, and proof-of-concept exploit code is available. An attacker could exploit this flaw in order to bypass certain security settings on victims' machines, said Jon Munshaw and Tiago Pereira with Cisco Talos in a Tuesday analysis.
"In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim," said Munshaw and Pereira.
Microsoft also issued patches for four previously known vulnerabilities, including two remote code execution flaws (CVE-2021-43208 and CVE-2021-43209) in 3D Viewer, which allows users to view 3D models and animations in real-time; and two information disclosure bugs (CVE-2021-38631 and CVE-2021-41371) in Windows Remote Desktop Protocol (RDP). Six critical-severity vulnerabilities were also addressed in the update. The most severe of these included a buffer overflow flaw (CVE-2021-3711) in OpenSSL that impacts Microsoft Visual Studio 2017 and 2019, and a remote code execution flaw (CVE-2021-26443) in Microsoft Virtual Machine Bus (VMBus).
Another critical-severity remote code execution flaw (CVE-2021-38666) in RDP allows an attacker with control of a Remote Desktop Server to achieve RCE on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. Because of the various factors going into this type of attack - including user interaction being a prerequisite - "there are limited cases where the vulnerability could be exploited," said Munshaw and Pereira.
"However, this issue should not be ignored, as there are specific circumstances in which this vulnerability could be used to obtain further privileges or for lateral movement," they said.
Microsoft Exchange Servers have faced an array of vulnerabilities over the past year, including the ProxyShell set of vulnerabilities, which have been actively exploited by attackers. There are three separate bugs that comprise the ProxyShell, and they all can lead to arbitrary code execution.