cancel
Showing results for 
Search instead for 
Did you mean: 
Gal_Goldshtein
F5 Employee
F5 Employee

Recently, Microsoft has issued an out of band patch that aims to mitigate seven Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft Threat Intelligence Center (MSTIC) has observed active exploitation of four of those vulnerabilities in the wild. 


0EM1T000002bIav.png

Figure 1: Microsoft Exchange 0-Day vulnerabilities exploited in the wild


The attacks are attributed to an APT group named HAFNIUM, which exploited those vulnerabilities mainly against targets from different industry sectors in the United States. After gaining access to the vulnerable Exchange servers HAFNIUM operators exfiltrated data like Exchange address book from the compromised server.


Currently there are no public technical details on the vulnerabilities neither proof of concept exploits for those. Meanwhile we have successfully recreated the exploit flow for the insecure deserialization vulnerability (CVE-2021-26857) and we have released a dedicated attack signature for mitigating it.


We will continue the analysis process for rest of the vulnerabilities, and we are closely monitoring for public POC exploits related to them.


Mitigating CVE-2021-26855 and CVE-2021-26857 with Advanced WAF

Advanced WAF customers under any supported version are already protected against those vulnerabilities as exploitation attempts will be detected by a dedicated signatures recently released. The signatures could be found under the "Server Side Code Injection Signatures” and "Other Application Attacks Signatures" signature sets.


0EM1T000002bLBy.png

Figure 2: CVE-2021-26855 Exploit attempt blocked by signature id 200018127


0EM1T000002bLBz.png

Figure 3: CVE-2021-26855 Exploit attempt blocked by signature id 200018128


0EM1T000002bLC0.png

Figure 4: CVE-2021-26857 Exploit attempt blocked by signature id 200104705


Mitigating CVE-2021-26855 and CVE-2021-26857 with Threat Campaigns


Advanced WAF customers with Threat Campaign license could detect and block campaigns targeting those vulnerabilities with the following Threat Campaigns:

  • Microsoft Exchange Resource Cookie SSRF
  • Microsoft Exchange ContactInfo Unsafe Deserialization


0EM1T000002bLC1.png

Figure 5: CVE-2021-26855 Exploit attempt blocked by Threat Campaigns feature

0EM1T000002bLC2.png

Figure 6: CVE-2021-26857 Exploit attempt blocked by Threat Campaigns feature


Additional References

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Comments
Wei
Nimbostratus
Nimbostratus

May I know when the official publishment will be released?

xaxe
Altostratus
Altostratus

Hi,

 

We're running Exchange (OWA) behind an F5 using the Exchange 2016 IAPP which presents the F5 forms based logon before even displaying the Exchange/OWA logon screen.

 

We are scrambling to patch the server, however are we protected by us being behind the IAPP/F5?

 

 

 

 

 

 

Gal_Goldshtein
F5 Employee
F5 Employee

Xaxe - You need Advanced WAF / ASM license in order to protect OWA using the signatures we mentioned.

Version history
Last update:
‎04-Mar-2021 08:41
Updated by:
Contributors