#VU53082 Improper validation of integrity check value in Microsoft Exchange Server


Published: 2021-05-11 | Updated: 2021-06-01

Vulnerability identifier: #VU53082

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-31209

CWE-ID: CWE-354

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Microsoft Exchange Server
Server applications / Mail servers

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to bypass integrity checks.

The vulnerability exists within the handling of Exchange Server Help updates. A remote attacker on the local network can bypass integrity check on update downloads.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft Exchange Server: 2013 Cumulative Update 23 15.00.1497.002, 2019 Cumulative Update 8 15.02.0792.003 - 2019 Cumulative Update 9 15.02.0858.005, 2016 Cumulative Update 19 15.01.2176.002 - 2016 Cumulative Update 20 15.01.2242.004


CPE

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31209
http://www.zerodayinitiative.com/advisories/ZDI-21-615/


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability