Drei weitere Exchange Exploits nach HAFNIUM

Auf der diesjährigen Pwn2Own 2021 wurden scheinbar drei weitere Exchange Exploits – nach HAFNIUM – erfolgreich gegen diverse Exchange Server Versionen vorgestellt.

Erste Infos finden sich auf msxfaq.de (Pwn2Own 2021 (msxfaq.de)) oder auch bei borncity.de (Vorwarnung: 0-Day-Schwachstellen, ist das nächste Exchange-Drama im Anrollen? | Borns IT- und Windows-Blog (borncity.com)).

Generell wird auf den Patch Tuesday verwiesen, der ja nächsten Dienstag, am 13.04.2021, ansteht. Daher: Augen auf und Öhrchen spitzen. 😉

Update 13.04.2021 (Patch Tuesday): Die Updates für Exchange Server 2013 CU23, Exchange Server 2016 CU19 und CU20 sowie für Exchange Server 2019 CU8 und CU9 sind soeben veröffentlicht worden. Hier (Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: April 13, 2021 (KB5001779)) sollten sich „gleich“ die Updates finden. Im Windows Update Catalog finden sich die Patches bereits: Microsoft Update-Katalog

• Download Security Update For Exchange Server 2019 Cumulative Update 9 (KB5001779)
• Download Security Update For Exchange Server 2019 Cumulative Update 8 (KB5001779)
• Download Security Update For Exchange Server 2016 Cumulative Update 20 (KB5001779)
• Download Security Update For Exchange Server 2016 Cumulative Update 19 (KB5001779)
• Download Security Update For Exchange Server 2013 Cumulative Update 23 (KB5001779)

Wichtig (wie eigentlich immer bei Exchange Security Updates) – Die Known Issues:

Known issues in this update

When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working.

This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

To avoid this issue, follow these steps to manually install this security update.

1) Select Start, and type cmd.

2) In the results, right-click Command Prompt, and then select Run as administrator.

3) If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.

4) Type the full path of the .msp file, and then press Enter.

Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: April 13, 2021 (KB5001779)

This month’s release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers. These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats. Customers using Exchange Online are already protected and do not need to take any action. More information on installing these updates is available in our Exchange Release blog.

April 2021 Update Tuesday packages now available – Microsoft Security Response Center

• CVE-2021-28480 | Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28481 | Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28482 | Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28483 | Microsoft Exchange Server Remote Code Execution Vulnerability

Hier noch der Link zum Exchange Team Blog: Released: April 2021 Exchange Server Security Updates – Microsoft Tech Community

Aus der Timeline der Zero Day Initiative (Zero Day Initiative — Pwn2Own 2021 – Schedule and Live Results):

06.04.2021:
1130 – DEVCORE targeting Microsoft Exchange in the Server category
SUCCESS – The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.

07.04.2021:
1130 – Team Viettel targeting Microsoft Exchange in the Server category
PARTIAL – Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.

08.04.2021
1000 – Steven Seeley of Source Incite targeting Microsoft Exchange in the Server category
PARTIAL – Although Steven did use two unique bugs in his demonstration, this attempt was a partial win due to the Man-in-the-Middle aspect of the exploit. It’s still great research though, and he earns 7.5 Master of Pwn points.

Zero Day Initiative — Pwn2Own 2021 – Schedule and Live Results

Wer sich alle drei Tage ansehen möchte:

1. Tag 1: Pwn2Own 2021 – Day One Live Stream – YouTube
2. Tag 2: Pwn2Own 2021 – Day Two Live Stream – YouTube
3. Tag 3: Pwn2Own 2021 – Day Three Live Stream – YouTube

BTW.: Es gab auch einen erfolgreichen Exploit gegen Microsoft Teams:

Success! OV was able to demonstrate his exploit of #Microsoft #Teams. They're off to the disclosure room with the details. If confirmed, it will be worth $200,000 USD and 20 Master of Pwn points. pic.twitter.com/2mWGh11mvs

— Zero Day Initiative (@thezdi) April 6, 2021