Security News > 2021 > November > Check your patches – public exploit now out for critical Exchange bug
This bug could be exploited for unauthorised remote code execution on Microsoft Exchange 2016 and 2019, and was patched in the November 2021 Patch Tuesday updates.
The silver lining, if there is such a thing for any zero-day hole, is that the attacker first needs to be authenticated to the Exchange server.
A bug of this sort still represents a critical security issue, because regular users aren't supposed to be able to upload and run arbitrary programs on any of your network servers, least of all your mail server.
Often, the details of how a bug was patched - for example, new error-checking code added to detect and reject invalid input data - can provide a handy shortcut to understanding not only how the bug works, but also how to construct booby-trapped input that allows the vulnerable program to be taken over completely, instead of simply crashed.
To verify that your Exchange servers are safe against this and other known security holes, you can use Microsoft's official Exchange Server HealthChecker PowerShell script.
Microsoft added Exchange 2013 to the list of vulnerable versions on 2021-11-16, only to change its mind on 2021-11-17 and report that it had "Removed Exchange Server 2013 from the Security Updates table as it is not affected by this vulnerability."
News URL
Related news
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Exploit code for critical GitLab auth bypass flaw released (CVE-2024-45409) (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- 1000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole (source)