Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
Required
Privileges Required
Low
Attack Vector
Network
7

CVE-2021-24085

Disclosure Date: February 25, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Privilege Escalation
Techniques
Validation
Validated
Validated

Description

Microsoft Exchange Server Spoofing Vulnerability

Add Assessment

3
Ratings
Technical Analysis

This attack is super useful to gain privileged access to an Exchange server. Given the ubiquity of the target, it’s remote nature, the presence of a simple python PoC, and the benefits from gaining privileged access to a mail server, hackers will be reaching for this exploit frequently, even if it does require authentication.
Further complicating matters is that the requests themselves are through https, so standard deployment for NIDS likely will not catch the attack. If you’ve added certificates to your NIDS to decrypt traffic, then it might catch the attack, but that scenario is not particularly common, especially in small to midsize organizations.
Patching is the primary method for mitigating this attack, though the logs left afterward (if they are not destroyed) are straightforward and reviewed in the technical analysis here: https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085?#rapid7-analysis

2
Technical Analysis

In order for a threat actor to successfully exploit this vulnerability they must trick a privileged user (ideally an Exchange administrator) into clicking on a prepared link containing the malicious JavaScript code. This code can send requests to the ECP on behalf of the administrator. As a result, the attacker would gain access to the Exchange server with System privileges via the downloaded web shell.

Source: https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/?utm_source=twitter&utm_medium=post&utm_campaign=23/06/21_cp_en&utm_content=read

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.7
Exploitability Score:
2.3
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
Low

General Information

Vendors

  • microsoft

Products

  • exchange server 2016,
  • exchange server 2019

Additional Info

Technical Analysis

Threat status: Impending

CVE-2020-24085 is a Microsoft Exchange Server spoofing vulnerability released as part of Microsoft’s February Patch Tuesday advisories. The vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft Exchange Server; successful exploitation requires authentication and user interaction (visiting a malicious page). Security researcher Steven Seeley, who discovered the vulnerability, has had a public proof-of-concept exploit available since February 15, 2021.

On Tuesday, March 2, 2021, Microsoft and Volexity released details on four actively exploited zero-day vulnerabilities in Microsoft Exchange being leveraged to deliver chopper webshells and other malware by a threat actor they track as “hafnium.” While there is no evidence currently that CVE-2021-24085 is being utilized in the same campaign, the increase in exploits targeting Microsoft Exchange further underscores the need to upgrade Exchange servers to the latest version (as of Tuesday, March 2, 2021) as soon as possible.

Affected products

  • Microsoft Exchange Server 2019 Cumulative Update 7 and later
  • Microsoft Exchange Server 2016 Cumulative Update 18 and later

Rapid7 analysis

Exchange servers are frequent, high-value attack targets whose patch rates often lag behind attacker capabilities.

As part of the PoC for CVE-2021-24085, the attacker will search for a specific token using a request to /ecp/DDI/DDIService.svc/GetList. If that request is successful, the PoC moves on to writing the desired token to the server’s filesystem with the request /ecp/DDI/DDIService.svc/SetObject. At that point, the token is available for downloading directly by an authenticated user. The PoC uses a download request to /ecp/poc.png (though the name could be anything) and may be recorded in the IIS logs themselves attached to the IP of the initial attack.

Indicators of compromise would include the requests to both /ecp/DDI/DDIService.svc/GetList and /ecp/DDI/DDIService.svc/SetObject, especially if those requests were associated with an odd user agent string like python. Because the PoC utilizes SetObject to write the privileged token to the server’s filesystem in a location readable by an authenticated user, it would be beneficial for incident responders to examine any files that were created around the time of the requests, as one of those files could be the access token and should be removed or placed in a secure location. It is also possible that responders could discover the file name in question by checking to see if the original attacker’s IP downloaded any files.