Microsoft Exchange Server with another critical vulnerability: April 2021 CU update available
We remember the huge security hole in Microsoft Exchange Server at the beginning of March. Now there is another security update for a securityproproblem with the popular Microsoft mail server. A vulnerability discovered a few days ago is hereby fixed. The BSI is already warning.
On Pwn2Own 2021 Participants from all over the world have tried to track down security gaps in known systems and adopt them. The Exchange Server was also up - again (we remember: beginning of March) - in focus and was also successfully adopted during the event. The vulnerabilities were then sent to Microsoft; no attacks are currently known. Likewise, the gaps are not yet public. As we know, however, such a loophole can be exploited fairly quickly. Microsoft published the new security patches less than an hour ago today and fixes four holes. The newly reported gaps in Pwn2Own have not yet been fixed - patches for this will probably arrive in May. These will then be viewed critically again:
Microsoft Exchange Server: Download the April 2021 security patch
The BSI too warns before the security gaps and strongly recommends that you install the updates. in the Document from the BSI there is further information on this. This is where admins should really pay attention when you think of the incident at the beginning of March, when several 100.000 Exchange servers from all over the world were taken over. It says about the current gap:
The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server.
Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get you 7.5 Master of Pwn points.
For Exchange Server 2013 (CU23) 2016 (CU19, CU20) and 2019 (CU8, CU9) updates are available. We have linked the respective links to the updates directly to the relevant CU. Microsoft points out as wellto start these updates via a command prompt with admin rights. The CMD is started with a right click -> "Run as administrator" and then the path of the update file is selected directly.
If there is no update available for the version used, it must first be updated to a supported CU. The security update can then be imported. All other servers are unprotected.
Alternatively, the update is also available via Windows Update, which, as usual, is not always completely reliable. But if you want to be on the safe side, install the patch directly. Don't forget to make a backup beforehand. And this time it's best to really work a night shift this evening before there are nasty surprises like the beginning of March.
Hello David,
maybe it should be mentioned again that the PWN2OWN gaps were not closed with the last patches by the Exchange.
MfG the Seb
Hello Seb,
thanks for the hint! That's true, of course, I specified that in the article.
LG, David from TechnikNews