Reading Time: 4 minutes

Introduction

Microsoft Exchange Security Update

In this article, we provide updated information concerning the ongoing threat posed by the malware directed at Microsoft Exchange Servers noted in CVE-2021-26855. We also furnish the steps needed to update and secure your Microsoft Exchange Server. In a recent post, the Cybersecurity & Infrastructure Security Agency posted a priority security advisory regarding the recent Microsoft Exchange Server vulnerability. They state:

CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.

CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise. CISA issued ED 21-02 requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.

Currently, the vulnerabilities related to this known exploitation activity include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065. According to Microsoft and security researchers, the following vulnerabilities are related yet not known to be exploited: CVE-2021-26412, CVE-2021-26854, CVE-2021-27078.

https://www.cisa.gov/ed2102

Microsoft has provided a new “one-click” mitigation tool called the Microsoft Exchange On-Premises Mitigation Tool. It assists clients who do not have access to a dedicated team of IT security professionals to apply the required security updates. They have tested the tool against the following deployments:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

This tool is designed as a stopgap measure for clients who are not familiar with the Microsoft patch/update process, or for those who have not yet applied any recent on-premises Microsoft Exchange Server security update.

Once run, the application will initially provide mitigation against the current known exploit (CVE-2021-26855) using a URL rewrite configuration. Next, it will scan your Microsoft Exchange Server utilizing the Microsoft Safety Scanner and then reverse any modifications made by the identified threats.

By downloading and running this tool (which includes the latest Microsoft Safety Scanner), clients automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed. This tool is not a substitute for the Exchange security update. Still, it is the easiest and fastest method to mitigate the risks posed to pre-patched, on-premises Exchange Servers connected to the internet.

Prerequisites

These are the requirements needed to run the Exchange On-premises Mitigation Tool

  • External Internet Connection from your Exchange server (required to download the Microsoft Safety Scanner and the IIS URL Rewrite Module).
  • PowerShell script must be run as Administrator.

System Requirements

  • PowerShell 3 or later
  • IIS 7.5 and later
  • Exchange 2013, 2016, or 2019
  • Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019

Recommendations

CISA recommends all susceptible Exchange owners take the following steps.

Step 1. Download and Install the Detection Script

Download the scanning tool and open it.

Step 2.

Select the type of scan to run and begin the scan.

Step 3.

Review the scan results displayed on the screen. For detailed detection results, clients can view the log file located at %SYSTEMROOT%\debug\msert.log.

Step 4.

After implementing scan, follow the suggested guidelines noted here.

Step 5.

Remove the tool. To complete the task, delete the msert.exe executable file.

If Compromised

If you have been compromised, Microsoft advises following this guide to better understand what to do next.

Conclusion

Clients using the affected versions should update their systems with the patches immediately. For additional info about the script, the Microsoft blog provides more detailed information. For further information about this vulnerability, users can visit the following links.

Note:
This vulnerability is not related to the recent SolarWinds attack.

We pride ourselves on being The Most Helpful Humans In Hosting™!

Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.

Should you have any questions regarding this information, please contact us via a support ticket, a chat, or phone at 800.580.495. We are always available to answer any inquiries regarding this article, 24 hours a day, 7 days a week, 365 days a year.

If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner, and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to answer any questions you may have.

Avatar for David Singer

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Latest Articles

10 Python Tips and Tricks for Data Science Projects

Read Article

How to Upload Information to VMware through SFTP

Read Article

Accessing Man Pages on Ubuntu 16.04 LTS

Read Article

Premium Business Email Pricing FAQ

Read Article

Microsoft Exchange Server Security Update

Read Article