gwillcox-r7's assessment of CVE-2021-34473

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Add Assessment

gwillcox-r7 (579)

July 14, 2021 5:15pm UTC (3 years ago)•

Ratings

Attacker Value

Very High

Exploitability

Medium

Common in enterprise Gives privileged access Vulnerable in default configuration

Technical Analysis

From https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html there was a note that this vulnerability seems to have been used in some Exchange Server APT attacks detailed at https://blog.talosintelligence.com/2021/03/hafnium-update.html however it wasn’t disclosed that this vulnerability was patched despite being patched back in April 2021. Since this was under active exploitation it is recommended to patch this vulnerability if you haven’t applied April 2021’s patch updates already.

Successful exploitation will result in RCE on affected Exchange Servers, and requires no prior user privileges, so patch this soon!

cbeek-r7 (181)

November 22, 2024 9:07am UTC (1 day ago)

Ratings

Observed in ransomware attacks

Technical Analysis

CISA released an updated advisory on the BianLian ransomware group including the vulnerabilities the group is using to gain initial access towards victims.

https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.1 Critical

Impact Score:

5.2

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

None

Vendors

microsoft

Products

exchange server 2013,
exchange server 2016,
exchange server 2019

Metasploit Modules

exploit/windows/http/exchange_proxyshell_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.ic3.gov/Media/News/2022/220318.pdf)
Threat Feed (https://cybersecurityworks.com/blog/ransomware/all-about-hive-ransomware.html)
News Article or Blog (https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html)

Reported: July 14, 2021 5:13pm UTC (3 years ago) • Edited 1 year ago

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:15am UTC (2 weeks ago)

cbeek-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf)

Reported: November 22, 2024 9:06am UTC (1 day ago)

References

Canonical

CVE-2021-34473 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473

https://www.zerodayinitiative.com/advisories/ZDI-21-821/

http://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html

Ransomware (https://redmondmag.com/articles/2021/08/24/proxyshell-exchange-server-flaw.aspx)

Rapid7

Very High

CVE-2021-34473

Very High

Moderate

None

None

Network

CVE-2021-34473

Description

Add Assessment

Ratings

Technical Analysis

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2021-34473

Very High

Moderate

None

None

Network

CVE-2021-34473

Description

Add Assessment

Ratings

Technical Analysis

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification