【安全通报】微软Exchange多个高危漏洞(CVE-2021-26855等...

image-20210303101136237.png

Exchange 是微软公司的一套电子邮件服务组件,是个消息与协作系统。

近日, 微软发布了Exchange 多个高危漏洞的风险通告,该漏洞编号为CVE-2021-26855,CVE-2021-26857,CVE-2021-26858,CVE-2021-27065。

CVE-2021-26855: 服务端请求伪造漏洞

Exchange服务器端请求伪造(SSRF)漏洞,利用此漏洞的攻击者能够发送任意HTTP请求并通过Exchange Server进行身份验证。

CVE-2021-26857: 反序列化漏洞

Exchange存在反序列化漏洞,该漏洞需要管理员权限,利用此漏洞的攻击者可以在Exchange服务器上以SYSTEM身份运行代码。

CVE-2021-26858/CVE-2021-27065: 任意文件写入漏洞

Exchange中身份验证后的任意文件写入漏洞。攻击者通过Exchange服务器进行身份验证后,可以利用此漏洞将文件写入服务器上的任何路径。该漏洞可以配合CVE-2021-26855 SSRF漏洞进行组合攻击。

CVE 编号

CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065

fofa查询语句

microsoft exchange 2013: 
app="Microsoft-Exchange-2013"||app="Microsoft-Exchange-Server-2013-CU21"||app="Microsoft-Exchange-Server-2013-CU17"||app="Microsoft-Exchange-Server-2013-CU23"||app="Microsoft-Exchange-Server-2013-CU13"||app="Microsoft-Exchange-Server-2013-CU22"||app="Microsoft-Exchange-Server-2013-CU11"||app="Microsoft-Exchange-Server-2013-CU2"||app="Microsoft-Exchange-Server-2013-CU16"||app="Microsoft-Exchange-Server-2013-CU19"||app="Microsoft-Exchange-Server-2013-CU3"||app="Microsoft-Exchange-Server-2013-CU18"||app="Microsoft-Exchange-Server-2013-CU5"||app="Microsoft-Exchange-Server-2013-CU20"||app="Microsoft-Exchange-Server-2013-CU12"||app="Microsoft-Exchange-Server-2013-CU15"||app="Microsoft-Exchange-Server-2013-CU10"||app="Microsoft-Exchange-Server-2013-CU9"||app="Microsoft-Exchange-Server-2013-CU6"||app="Microsoft-Exchange-Server-2013-CU7"||app="Microsoft-Exchange-Server-2013-CU1"||app="Microsoft-Exchange-Server-2013-CU14"||app="Microsoft-Exchange-Server-2013-CU8"||app="Microsoft-Exchange-Server-2013-RTM"||app="Microsoft-Exchange-Server-2013-SP1"||app="Microsoft-Exchange-2013"

microsoft exchange 2016: 
app="Microsoft-Exchange-Server-2016-CU19"||app="Microsoft-Exchange-Server-2016-CU3"||app="Microsoft-Exchange-Server-2016-CU12"||app="Microsoft-Exchange-Server-2016-RTM"||app="Microsoft-Exchange-Server-2016-CU7"||app="Microsoft-Exchange-Server-2016-CU17"||app="Microsoft-Exchange-Server-2016-CU2"||app="Microsoft-Exchange-Server-2016-CU1"||app="Microsoft-Exchange-Server-2016-CU14"||app="Microsoft-Exchange-Server-2016-CU5"||app="Microsoft-Exchange-Server-2016-CU11"||app="Microsoft-Exchange-Server-2016-CU9"||app="Microsoft-Exchange-Server-2016-CU16"||app="Microsoft-Exchange-Server-2016-CU10"||app="Microsoft-Exchange-Server-2016-CU6"||app="Microsoft-Exchange-Server-2016-CU13"||app="Microsoft-Exchange-Server-2016-CU18"||app="Microsoft-Exchange-Server-2016-CU8"||app="Microsoft-Exchange-Server-2016-CU4"||app="Microsoft-Exchange-2016-POP3-server"

microsoft exchange 2019:
app="Microsoft-Exchange-Server-2019-CU5"||app="Microsoft-Exchange-Server-2019-CU3"||app="Microsoft-Exchange-Server-2019-Preview"||app="Microsoft-Exchange-Server-2019-CU8"||app="Microsoft-Exchange-Server-2019-CU1"||app="Microsoft-Exchange-Server-2019-CU7"||app="Microsoft-Exchange-Server-2019-CU2"||app="Microsoft-Exchange-Server-2019-CU6"||app="Microsoft-Exchange-Server-2019-RTM"||app="Microsoft-Exchange-Server-2019-CU4"


microsoft exchange 2010: 
app="Microsoft-Exchange-2010-POP3-server-version-03.1"||app="Microsoft-Exchange-Server-2010"

影响范围

  • microsoft:exchange: 2013/2016/2019/2010

根据目前FOFA系统最新数据(一年内数据),显示全球范围内(app="Microsoft-Exchange")共有 1,563,491 个相关服务对外开放。美国使用数量最多,共有 353,403 个;德国第二,共有 231,069 个;英国第三,共有 85,074 个;中国香港第四,共有 76,719 个;荷兰第五,共有 59,420 个。

全球范围内分布情况如下(仅为分布情况,非漏洞影响情况)

image-20210303094947780.png

中国大陆地区上海使用数量最多,共有 8,557 个;广东第二,共有 6,846 个;北京第三,共有 5,060 个;江苏第四,共有 4,180 个;浙江第五,共有 1,803 个。

image-20210303095609309.png

修复建议

  1. 微软已发布相关安全更新,用户可更新到安全版本。

    CVE-2021-26855下载链接:

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

    CVE-2021-26857下载链接:

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

    CVE-2021-26858下载链接:

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

    CVE-2021-27065下载链接:

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

  2. 临时修补建议:

    CVE-2021-26855:服务端请求伪造漏洞

    可以通过以下Exchange HttpProxy日志进行检测:

    %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy

    通过以下Powershell可直接进行日志检测,并检查是否受到攻击:

    Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object {  $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox
    

    如果检测到了入侵,可以通过以下目录获取攻击者采取了哪些活动

    %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging

    CVE-2021-26857:反序列化漏洞

    该漏洞单独利用难度稍高,可利用以下命令检测日志条目,并检查是否受到攻击。

    Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }
    

    CVE-2021-26858:远程执行代码漏洞

    日志目录:C:\ProgramFiles\Microsoft\ExchangeServer\V15\Logging\OABGeneratorLog

    可通过以下命令进行快速浏览,并检查是否受到攻击:

    findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log”
    

    CVE-2021-27065:任意文件写入漏洞

    通过以下powershell命令进行日志检测,并检查是否遭到攻击:

    Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15
    

参考

[1] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[2] https://mp.weixin.qq.com/s/4s66qdvVbUEzz-w9RcSUIg

白帽汇从事信息安全,专注于安全大数据、企业威胁情报。

公司产品:FOFA-网络空间安全搜索引擎、FOEYE-网络空间检索系统、NOSEC-安全讯息平台。

为您提供:网络空间测绘、企业资产收集、企业威胁情报、应急响应服务。

免责声明:文章内容不代表本站立场,本站不对其内容的真实性、完整性、准确性给予任何担保、暗示和承诺,仅供读者参考,文章版权归原作者所有。如本文内容影响到您的合法权益(内容、图片等),请及时联系本站,我们会及时删除处理。查看原文

为您推荐