CVE-2021-26858

Опубликовано: 10 мар. 2021

Источник: msrc

CVSS3: 7.8

EPSS Высокий

Описание

Microsoft Exchange Server Remote Code Execution Vulnerability

Меры по смягчению последствий

This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.

We recommend prioritizing installing updates on Exchange Servers that are externally facing.

FAQ

Is this vulnerability being used in an active attack?

Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.

What is the target for this attack?

The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.

Where can I get more information about how to protect myself from the vulnerabilities?

Please see On-Premises Exchange Server Vulnerabilities Resource Center – updated March 25, 2021.

If I install the Security Updates for the older Cumulative Updates, am I fully protected from vulnerabilities for all published CVEs?

No, you will be protected from the vulnerabilities documented by CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858. You will not be protected from some previous CVEs as shown in the table below.

Yes: the system is protected from the vulnerability.
No: the system is not protected from the vulnerability.

Microsoft Exchange Server 2019

Date Released	Severity	CVE	ES 2019 CU8	ES 2019 CU7	ES 2019 CU6	ES 2019 CU5	ES 2019 CU4	ES 2019 CU3	ES 2019 CU2	ES 2019 CU1	ES 2019
8/14/2018	Critical	CVE-2018-8302	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
10/9/2018	Important	CVE-2018-8448	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
11/13/2018	Important	CVE-2018-8581	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
12/11/2018	Important	CVE-2018-8604	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
1/8/2019	Important	CVE-2019-0586	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
1/8/2019	Important	CVE-2019-0588	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
2/12/2019	Important	CVE-2019-0686	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
2/12/2019	Important	CVE-2019-0724	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
9/10/2019	Important	CVE-2019-1233	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No
10/19/2019	Important	CVE-2019-1266	Yes	Yes	Yes	Yes	Yes	No	No	No	No
11/12/2019	Critical	CVE-2019-1373	Yes	Yes	Yes	Yes	Yes	No	No	No	No
2/11/2020	Important	CVE-2020-0688	Yes	Yes	Yes	Yes	No	No	No	No	No
2/11/2020	Important	CVE-2020-0692	Yes	Yes	Yes	Yes	No	No	No	No	No
3/10/2020	Important	CVE-2020-0903	Yes	Yes	Yes	Yes	No	No	No	No	No
9/8/2020	Critical	CVE-2020-16875	Yes	Yes	No	No	No	No	No	No	No
10/13/2020	Important	CVE-2020-16969	Yes	Yes	No	No	No	No	No	No	No
11/10/2020	Important	CVE-2020-17083	Yes	Yes	No	No	No	No	No	No	No
11/10/2020	Important	CVE-2020-17084	Yes	Yes	No	No	No	No	No	No	No
11/10/2020	Important	CVE-2020-17085	Yes	Yes	No	No	No	No	No	No	No
12/8/2020	Critical	CVE-2020-17117	Yes	Yes	No	No	No	No	No	No	No
12/8/2020	Critical	CVE-2020-17132	Yes	Yes	No	No	No	No	No	No	No
12/8/2020	Important	CVE-2020-17141	Yes	Yes	No	No	No	No	No	No	No
12/8/2020	Critical	CVE-2020-17142	Yes	Yes	No	No	No	No	No	No	No
12/8/2020	Important	CVE-2020-17143	Yes	Yes	No	No	No	No	No	No	No
12/8/2020	Important	CVE-2020-17144	Yes	Yes	No	No	No	No	No	No	No
2/9/2021	Important	CVE-2021-1730	Yes	Yes	No	No	No	No	No	No	No
2/9/2021	Important	CVE-2021-24085	Yes	Yes	No	No	No	No	No	No	No
3/2/2021	Important	CVE-2021-26412	Yes	Yes	No	No	No	No	No	No	No
3/2/2021	Important	CVE-2021-26854	Yes	Yes	No	No	No	No	No	No	No

Microsoft Exchange Server 2016

Date Released	Severity	CVE	ES 2016 CU19	ES 2016 CU18	ES 2016 CU16	ES 2016 CU15	ES 2016 CU14	ES 2016 CU17	ES 2016 CU13	ES 2016 CU12	ES 2016 CU11	ES 2016 CU10	ES 2016 CU9	ES 2016 CU8
3/13/2018	Important	CVE-2018-0940	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
3/13/2018	Important	CVE-2018-0941	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
4/3/2018	Critical	CVE-2018-0986	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
5/8/2018	Important	CVE-2018-8151	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
5/8/2018	Important	CVE-2018-8152	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
5/8/2018	Critical	CVE-2018-8154	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
5/8/2018	Important	CVE-2018-8159	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
10/9/2018	Important	CVE-2018-8265	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No
8/14/2018	Critical	CVE-2018-8302	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No
10/9/2018	Important	CVE-2018-8448	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No
11/13/2018	Important	CVE-2018-8581	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No
12/11/2018	Important	CVE-2018-8604	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No
1/8/2019	Important	CVE-2019-0586	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No
1/8/2019	Important	CVE-2019-0588	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No
2/12/2019	Important	CVE-2019-0686	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No
2/12/2019	Important	CVE-2019-0724	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No
4/9/2019	Important	CVE-2019-0817	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No
4/9/2019	Important	CVE-2019-0858	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No
7/9/2019	Important	CVE-2019-1084	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No	No
7/9/2019	Important	CVE-2019-1136	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No	No
7/9/2019	Important	CVE-2019-1137	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No	No
9/10/2019	Important	CVE-2019-1233	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No	No
10/19/2019	Important	CVE-2019-1266	Yes	Yes	Yes	Yes	No	Yes	No	No	No	No	No	No
11/12/2019	Critical	CVE-2019-1373	Yes	Yes	Yes	Yes	No	Yes	No	No	No	No	No	No
2/11/2020	Important	CVE-2020-0688	Yes	Yes	Yes	Yes	No	Yes	No	No	No	No	No	No
2/11/2020	Important	CVE-2020-0692	Yes	Yes	Yes	Yes	No	Yes	No	No	No	No	No	No
3/10/2020	Important	CVE-2020-0903	Yes	Yes	Yes	Yes	No	Yes	No	No	No	No	No	No
9/8/2020	Critical	CVE-2020-16875	Yes	Yes	No	No	No	No	No	No	No	No	No	No
10/13/2020	Important	CVE-2020-16969	Yes	Yes	No	No	No	No	No	No	No	No	No	No
11/10/2020	Important	CVE-2020-17083	Yes	Yes	No	No	No	No	No	No	No	No	No	No
11/10/2020	Important	CVE-2020-17084	Yes	Yes	No	No	No	No	No	No	No	No	No	No
11/10/2020	Important	CVE-2020-17085	Yes	Yes	No	No	No	No	No	No	No	No	No	No
12/8/2020	Critical	CVE-2020-17117	Yes	Yes	No	No	No	No	No	No	No	No	No	No
12/8/2020	Critical	CVE-2020-17132	Yes	Yes	No	No	No	No	No	No	No	No	No	No
12/8/2020	Important	CVE-2020-17141	Yes	Yes	No	No	No	No	No	No	No	No	No	No
12/8/2020	Critical	CVE-2020-17142	Yes	Yes	No	No	No	No	No	No	No	No	No	No
12/8/2020	Important	CVE-2020-17143	Yes	Yes	No	No	No	No	No	No	No	No	No	No
12/8/2020	Important	CVE-2020-17144	Yes	Yes	No	No	No	No	No	No	No	No	No	No
2/9/2021	Important	CVE-2021-1730	Yes	Yes	No	No	No	No	No	No	No	No	No	No
2/9/2021	Important	CVE-2021-24085	Yes	Yes	No	No	No	No	No	No	No	No	No	No
3/2/2021	Important	CVE-2021-26412	Yes	Yes	No	No	No	No	No	No	No	No	No	No
3/2/2021	Important	CVE-2021-26854	Yes	Yes	No	No	No	No	No	No	No	No	No	No

Microsoft Exchange Server 2013 CU 22 was released February 12, 2019 after which 31 vulnerabilities have been found and remediated.
Microsoft Exchange Server 2013 CU 21 was released June 19, 2018 after which 38 vulnerabilities have been found and remediated.
Microsoft Exchange Server 2013 Service Pack 1 was released February 25, 2014 after which 82 vulnerabilities have been found and remediated.

Please see Exchange Server build numbers and release dates for more information on Exchange Server Cumulative Updates release dates.

Обновления

Продукт	Статья	Обновление
Microsoft Exchange Server 2016 Cumulative Update 8	5000871	Security Update
Microsoft Exchange Server 2016 Cumulative Update 9	5000871	Security Update
Microsoft Exchange Server 2013 Cumulative Update 21	5000871	Security Update
Microsoft Exchange Server 2016 Cumulative Update 10	5000871	Security Update
Microsoft Exchange Server 2019	5000871	Security Update
Microsoft Exchange Server 2016 Cumulative Update 11	5000871	Security Update
Microsoft Exchange Server 2013 Cumulative Update 22	5000871	Security Update
Microsoft Exchange Server 2016 Cumulative Update 12	5000871	Security Update
Microsoft Exchange Server 2019 Cumulative Update 1	5000871	Security Update
Microsoft Exchange Server 2019 Cumulative Update 2	5000871	Security Update

Показывать по

Возможность эксплуатации

Publicly Disclosed

Exploited

Yes

Latest Software Release

Exploitation Detected

Older Software Release

Exploitation Detected

DOS

N/A

EPSS

Процентиль: 99%

0.75395

Высокий

7.8 High

CVSS3

Связанные уязвимости

CVE-2021-26858

CVSS3: 7.8

nvd

больше 4 лет назад

Microsoft Exchange Server Remote Code Execution Vulnerability

GHSA-r4wp-245q-vr5w

CVSS3: 7.8

github

около 3 лет назад

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.

BDU:2021-01121

CVSS3: 8.8

fstec

больше 4 лет назад

Уязвимость почтового сервера Microsoft Exchange Server, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю перезаписать произвольные файлы в системе

CVE-2021-27065

CVSS3: 7.8

msrc

больше 4 лет назад

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26857

CVSS3: 7.8

msrc

больше 4 лет назад

Microsoft Exchange Server Remote Code Execution Vulnerability

EPSS

Процентиль: 99%

0.75395

Высокий

7.8 High

CVSS3