Vulnerability identifier: #VU50471

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-24085

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Microsoft Exchange Server
Server applications / Mail servers

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insecure generation of CSRF tokens for office-addins installation within the HasValidCanary function inside of the Canary15 class. A remote user can trick the victim to visit a specially crafted web page and escalate privileges on the server.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Microsoft Exchange Server: 2019 RTM 15.02.0221.012 - 2019 Cumulative Update 7 15.02.0721.002, 2016 RTM 15.01.0225.042 - 2016 Cumulative Update 18 15.01.2106.002

---

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24085

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.