Another vulnerability in Microsoft Exchange servers

An Exchange server serves as the central storage and management of e-mails, contacts, tasks or appointments and is included as part of the Microsoft online service Microsoft 365 in the current version 2019; according to the current state of knowledge, only the locally hosted variant is affected. The counterpart, i.e. the corresponding client software, is provided with Microsoft Outlook.

In order to compromise the system, it is necessary to combine several problems in the software in order to gain external access as an unauthenticated user. The first vulnerability in this case is the Exchange Client Access Service (CAS). This is responsible for processing the incoming data traffic for various protocols and allowed the unauthenticated user to pass due to the weak point. Ultimately, the open gate was the autodiscover function. Mail clients call up the details of the server when it is set up and make this process easier for the user, since it is no longer necessary to enter the server address, port and other details. With this function it is now possible to execute malicious code in the system with elevated rights.

In this attack scenario, it can be assumed that the attackers are able to execute malicious code. This enables webshells to be started in order to reload further malware or to encrypt entire systems. In the worst case, this leads to a complete compromise of the system. In addition, data can be transferred or computing power withdrawn.

Since Microsoft patched these gaps in April and May, the responsibility now rests with the admins to check whether their mail servers are up to date. The gaps were closed with KB5001779 and KB5003435. Always ensure that you regularly install security patches in order to be prepared in an emergency. It is also advisable to only operate the server locally and not publicly via the Internet.

If the current patches have not yet been installed, you must immediately check whether suspicious activities have taken place. This could be access to “/autodiscover/autodiscover.json” or “/ mapi / nspi /” in the IIS logs.

Security expert Kevin Beaumont has also published a ProxyShell script for the nmap scanner that administrators can use to test their own servers. It specifically tests for vulnerability to the CVE-2021-34473 vulnerability, which is part of ProxyShell.

If an attack is detected, it must be checked in each individual case whether it is a reportable data breach in accordance with Art. 33 GDPR. This is the case if the protection of personal data has been breached, e.g. because data has leaked. It should be noted here that the data breach must be reported to the responsible supervisory authority within 72 hours.

We are happy to support you with all questions relating to data protection and IT security. Simply call us at the head office in Hutthurm on +49 (0) 8505 91 927 – 0 or in our branch in Munich on +49 (0) 89 413 2943 – 0 or use our contact form.