Pierluigi Paganini March 09, 2021

Microsoft released ProxyLogon security updates for Microsoft Exchange servers running vulnerable unsupported Cumulative Update versions.

On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.

Now Microsoft has released security updates for Microsoft Exchange servers running unsupported Cumulative Update versions that are affected by the above vulnerabilities, collectively tracked as ProxyLogon.

The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued the Emergency Directive 21-02 in response to the disclosure of zero-day vulnerabilities in Microsoft Exchange.  The US CISA ordered federal agencies to urgently update or disconnect MS Exchange on-premises installs.

Microsoft’s move aims to temporarily protect the servers of its customers until they can install the latest updates for the Exchange servers.

“To help customers more quickly protect their environments in light of the March 2021 Exchange Server Security Updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs).” state the Microsoft Exchange team. “This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.”

To install the updates follow this step-by-step procedure:

1.      Download the update but do not run it immediately.
2.      Temporarily disable file-level antivirus software       
3.      Select Start, and type CMD.
4.      In the results, right-click Command Prompt, and then select Run as administrator.
5.      If the User Account Control dialog box appears, choose Yes, and then select Continue.
6.      Type the full path of the .msp file, and then press Enter.
7.      After the installation is finished, re-enable the antivirus software, and then restart the computer. (You might be prompted by the installer to restart.)

Microsoft has also updated its Microsoft Safety Scanner (MSERT) tool to detect web shells employed in the recent Exchange Server attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, GootKit)

[adrotate banner=”5″]

[adrotate banner=”13″]