Security News > 2021 > April > NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches
April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency.
"This month's release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers," Microsoft said in its blog post.
"These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers."
Clicking through Microsoft's coy links to CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483, you'll find the unspecified security partner is the NSA. Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems.
The NSA assist comes a month after Microsoft fixed four Exchange Server zero-day flaws, claiming that a China-based hacking group, dubbed "Hafnium," exploited the vulnerabilities to steal data from US defense contractors, law firms, and medical researchers.
"The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google's security bulletin said.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/04/13/patch_tuesday_april/
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems (source)
- New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-13 | CVE-2021-28480 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.8 |
| 2021-04-13 | CVE-2021-28481 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.8 |
| 2021-04-13 | CVE-2021-28482 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 8.8 |
| 2021-04-13 | CVE-2021-28483 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.0 |