New April 2021 Exchange Server vulnerabilities

The National Cyber Security Centre (NCSC) issued advice about exploitation of Exchange Server vulnerabilities in March, and Microsoft quickly provided a number of patches and mitigation actions.

You might remember the concerns that thousands of servers remained unpatched in the news in mid-March. Now there are another set of vulnerabilities, and patches too.

Four new vulnerabilities

On 13 April 2021, four new ‘remote code execution’ vulnerabilities were identified by Microsoft:

1. CVE-2021-28480
2. CVE-2021-28481
3. CVE-2021-28482
4. CVE-2021-28483

Also on 13 April, which was ‘Update Tuesday’ or ‘Patch Tuesday’, Microsoft released the April update packages and these include patches to address these vulnerabilities. There’s more information at the Microsoft Security Response Centre.

Which systems are affected?

Microsoft have stated that:

• Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 are affected.
• Exchange Server 2010 is not affected by these vulnerabilities.
• Exchange Online (and Microsoft 365/Office 365) are not affected by these vulnerabilities.

You can find out more at the Microsoft Exchange Team’s blog post.

What is a remote code vulnerability?

Remote code vulnerabilities potentially allow an attacker to perform remote code execution. This means that an attacker may be able to run programs or scripts on an affected device over the Internet.

How serious are these vulnerabilities?

These vulnerabilities were reported to Microsoft by the US National Security Agency (NSA).

At the time, there weren’t any reported incidents of these vulnerabilities being exploited in real world conditions.

However, all four vulnerabilities are assessed as ‘Critical’ severity level, and given the attacker attention towards on on-premises Exchange Servers in March, it is likely that there will be real world exploitations soon.

It is therefore recommended that the updates are applied as a priority.

Recommended Actions

1. If you use Think IT, just get in touch to check whether your Exchange Server is potentially vulnerable, whether we’ve already patched it, or to schedule a time to have the updates installed.
2. Check if the updates apply to you. The updates are available for the following specific builds of Exchange Server:
   • Exchange Server 2013 CU23
   • Exchange Server 2016 CU19 and CU20
   • Exchange Server 2019 CU8 and CU9
   • The Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release), will identify the build and whether it is behind on updates.
3. Install the 13 April 2021 security updates as soon as possible. Note that Microsoft advise these updates require ‘Run as administrator’ in order to update correctly. There are three ways to obtain and install the updates:
   • Use Microsoft Update
   • Use the Microsoft Update Catalog
   • Use the Microsoft Download Centre
4. We recommend that automatic updates are turned on. This automates the installation of patches for security issues.