Microsoft Exchange Server is a popular target for IT criminals. The mail server is widespread among companies and authorities and is often the gateway into their networks. Last week, security researcher Orange Tsai at the Black Hat 2021 conference New attacks on the software After only a few days, honeypot operators are apparently specifically looking for differences. Administrators should immediately supply servers with all available updates. The updates appeared months ago and closed the gap.
Orange Tsai had to combine several problems, as she described in her lectures, of gaining access from outside as an unauthorized user and equipping herself with more rights. The weak point was in the Exchange Client Access Service (CAS). It handles the incoming traffic for different protocols. The open gate was the autodiscover function. Mail clients use the Autodiscover file to call up details about the server during setup, saving the user from having to type the server address, port, and other details.
ready patch from april
There were three CVE numbers for problems encountered in history named ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). These were repaired by Microsoft in April and May KB5001779 And KB5003435. Microsoft patched the first two holes before Tsai reported them. Microsoft may have found out about it some other way. Anyone who hasn’t patched their internet-connected servers since then will have to do so quickly.
Just days after lecture at Black Hat, IT security expert noticed Kevin Beaumont On his Exchange server, which he set up as a honeypot, entries in the log that actually tried to autodiscover gap. This indicates that attackers are also following presentations at security conferences and quickly adapting their automated tests.
Security researcher Orange Tsai, meanwhile, can’t expect a reward from Microsoft’s bug bounty program. exchange server is not covered by the program.
Reader. Organizer. General creator. Zombie fanatic. Alcohol advocate. Food junkie. Bacon ninja.