SB2021030301 - Multiple vulnerabilities in Microsoft Exchange Server
Published: March 3, 2021 Updated: May 14, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2021-26412)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
2) Input validation error (CVE-ID: CVE-2021-26854)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-26855)
The vulnerability allows a remote attacker to execute arbitrary code on the system.The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted HTTP request to the Microsoft Exchange OWA interface, upload arbitrary file on the server and execute it.
Note, this vulnerability is being actively exploited in the wild.
4) Input validation error (CVE-ID: CVE-2021-26857)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
5) Input validation error (CVE-ID: CVE-2021-26858)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
6) Input validation error (CVE-ID: CVE-2021-27065)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
7) Input validation error (CVE-ID: CVE-2021-27078)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Remediation
Install update from vendor's website.
References
- https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26412
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
- https://github.com/microsoft/CSS-Exchange/tree/main/Security
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27078