Advertise

Vulnerabilities / Threats

End of Bibblio RCM includes -->

4/13/2021
05:39 PM

Kelly Sheridan
News

Connect Directly

0 comments
Comment Now

NSA Alerted Microsoft to New Exchange Server Vulnerabilities

Microsoft today patched 114 CVEs to address the Exchange Server flaws, more than 50 remote code execution vulnerabilities, and one zero-day.

Microsoft today issued fixes for 114 vulnerabilities as part of its monthly security update release, which this month addressed 19 critical flaws, four critical Microsoft Exchange Server bugs found by the National Security Agency (NSA), and one zero-day bug in Desktop Window Manager.

The patches released today address flaws in Microsoft Windows, the Edge browser, Microsoft Office, Azure and Azure DevOps Server, Exchange Server, SharePoint Server, Hyper-V, Visual Studio, and Team Foundation Server. None of the bugs were disclosed at the recent Pwn2Own.

CVE-2021-28310, a Win32k elevation of privilege vulnerability, is the only CVE under active attack patched this month. Kaspersky researchers who found it believe it's potentially being used in the wild by several attackers. They note it's likely used with other browser exploits to escape sandboxes or achieve system privileges; however, they did not capture a full chain so are unable to confirm the full attack sequence.

Attack complexity for this vulnerability is low, according to Microsoft, and it requires low-level privileges. An attacker would have to access the target system locally or remotely, or rely on a user to run the malicious code for them.

Today's patches also addressed four critical remote code execution vulnerabilities in Microsoft Exchange Server: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483. All of these were discovered by the NSA and affect Exchange Server versions 2013 through 2019.

CVE-2021-28480 and CVE-2021-28481 have a CVSS score of 9.8 and require no authorization or user interaction to exploit. Dustin Childs of Trend Micro's Zero-Day Initiative notes this CVSS score is higher than the scores for the Exchange Server vulnerabilities disclosed last month, and given that Microsoft lists the attack vector as "Network," it's likely they are wormable - at least between Exchange Servers. Considering they came from the NSA, patching should be a priority.

"We have not seen the vulnerabilities used in attacks against our customers," Microsoft says of the on-premise Exchange Server flaws patched today. "However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats." Exchange Online users are already protected.

Microsoft has also identified a whopping 27 remote code execution flaws in Remote Procedure Call, a protocol that lets a program request service from a program on another machine in the same network. Of these, 12 are rated as Critical and 15 are categorized at Important in severity.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

How Applications Are Attacked: A Year in Application Security

The Biggest Network Security Threats of 2023 & How to Combat Them

More Webcasts

White Papers

Automate IT: Modernizing IT Service Management in Healthcare

2022 Retrospective: The Emergence of the Next Generation of Wi-Fi

More White Papers

Reports

Addressing the Security Challenges of the New Edge

How Machine Learning, AI & Deep Learning Improve Cybersecurity

More Reports

//Comments

Newest First | Oldest First | Threaded View

[close this box]

Be the first to post a comment regarding this story.

Editors' Choice

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry

David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP, 7/9/2021

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Robert Lemos, Contributing Writer, 7/7/2021

It's in the Game (but It Shouldn't Be)

Tal Memran, Cybersecurity Expert, CYE, 7/9/2021

Live Events

Webinars

Black Hat USA - August 5-10 - Learn More

Black Hat Asia - May 9-12 - Learn More

More Informa Tech Live Events

White Papers

Empower Digital Transformation by Protecting Converged IT and OT

Attack Surface Management v2.0 by Brad LaPorte

What Elite Threat Hunters See that Others Miss

The 2022 State of Cloud Security Report

Transform Your Security Strategy

More White Papers

Cartoon

Latest Comment: I've heard of people walking right out the front door with entire servers...

Cartoon Archive

Current Issue

The 10 Most Impactful Types of Vulnerabilities for Enterprises Today

Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

How Enterprises are Developing Secure Applications

Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.

Download Now!

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2023-1142
PUBLISHED: 2023-03-27

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.

CVE-2023-1143
PUBLISHED: 2023-03-27

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.

CVE-2023-1144
PUBLISHED: 2023-03-27

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.

CVE-2023-1145
PUBLISHED: 2023-03-27

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

CVE-2023-1655
PUBLISHED: 2023-03-27

Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]