See CyberCX Threat Advisory CCX-TA-2021-40 for more detail.
PoC exploit code has been publicly released online for CVE-2021-42321 (CVSS 8.8), first described in a previous CyberCX Threat Advisory on 10 November 2021.1 This post-authentication remote code execution vulnerability affects both Exchange Server 2016 and 2019, with successful exploitation allowing authenticated attackers to execute code remotely on vulnerable Exchange servers.2 We assess that the availability of a public PoC significantly increases the likelihood of multiple threat actors attempting to exploit this vulnerability.
The vulnerability was originally discovered during the Tianfu Cup contest in October, with Microsoft crediting a competing team for the discovery.4 Microsoft is aware of limited targeted attacks in the wild exploiting this vulnerability.3
Windows 10, Windows 11, and Windows Server 2022 instances.4 The vulnerability can give threat actors SYSTEM privileges, helping them move laterally within a victim’s network.
The researcher discovered this zero day while examining a separate zero day that bypasses Microsoft’s November Patch Tuesday patch for CVE-2021-41379.5 According to the researcher, the zero day for which they released a PoC is a more powerful privilege elevation vulnerability than the bypass zero day, as it circumvents group policies configured to prevent ‘Standard’ users from performing MSI installer operations.6 For the exploit to work, the attacker only needs limited access to a compromised device – it has been tested on an account with low-level ‘Standard’ privileges.
We assess it is highly likely that multiple threat actors will attempt to use this exploit, particularly while there is no patch or workaround from Microsoft.
CyberCX urges customers to apply Microsoft’s November security updates immediately if suitable to their environment, if not already done so.
There is no patch or workaround available for the Windows zero day vulnerability – however, we strongly recommend patching as soon as Microsoft releases one. According to the researcher who discovered the vulnerability, attempting to fix the vulnerability by attempting to patch the binary will break the Windows installer.
For additional information, including specifics about the response within your IT environment, please contact cyberintel@cybercx.com.au or your usual CyberCX contact.
If you are not a customer but would like help responding to the subject of this advisory, please contact cyberintel@cybercx.com.au.
|
CyberCX Reference No# |
Date of Advisory |
|
CCX-TA-2021-43 |
23 November 2021 |
|
Classification |
Restrictions |
|
RED |
Highly Restricted Access to and use by recipients only |
|
AMBER (Sensitive) |
Restricted Internal Access and Use Only Recipients must only make ‘AMBER’ information available to within their organisation strictly for internal purposes, on a need-to-know basis, only to assist in the protection of ICT systems. |
|
GREEN (Confidential) |
Restricted to Closed Groups and Subject to Confidentiality Recipients must not publish or post on the World Wide Web or otherwise release it in circumstances where confidentiality may not be maintained. |
|
WHITE |
Not Restricted or Confidential For public, unrestricted dissemination, publication, web-posting or broadcast. Recipients may publish the information, subject to copyright and any restrictions or rights noted in the information. |
|
NOT CLASSIFIED |
Any advisory received from the CyberCX Cyber Intelligence team that is not classified in accordance with the TLP must be treated as ‘AMBER’ unless otherwise agreed in writing by the sender. |
CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.
|
Probability estimates – reflect our estimate of the likelihood an event or development occurs |
||||||
|
Remote chance |
Highly unlikely |
Unlikely |
Real chance |
Likely |
Highly likely |
Almost certain |
|
Less than 5% |
5-20% |
20-40% |
40-55% |
55-80% |
80-95% |
95% or higher |
Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.
|
Confidence levels – reflect the validity and accuracy of our assessments |
||
|
Low confidence |
Moderate confidence |
High confidence |
|
Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. |
Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. |
Assessment based on high-quality information that our analysts can corroborate from multiple, different sources. |
1 https://nvd.nist.gov/vuln/detail/CVE-2021-42321; https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398
2 https://www.bleepingcomputer.com/news/security/exploit-released-for-microsoft-exchange-rce-bug-patch-now/
3 https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169
4 https://github.com/klinix5/InstallerFileTakeOver
5 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
6 https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/