A Zero-day CVE-2021-26857 among other critical vulnerabilities fixed with the latest Exchange Server update

A Zero-day CVE-2021-26857 among other critical vulnerabilities fixed with the latest Exchange Server update


Hello everyone,

Several security updates have been released in Microsoft Exchange Server to address vulnerabilities exploited in limited attacks. Noteworthy among these vulnerabilities is the Zero-day with the ID - CVE-2021-26857. This is a remote code execution vulnerability with a functional exploit code.


This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. However, other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.

Versions affected: The following versions of Microsoft Exchange Server are compromised while Exchange Online remains unaffected. Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.

  • Microsoft Exchange Server 2013  

  • Microsoft Exchange Server 2016  

  • Microsoft Exchange Server 2019

 

The other vulnerabilities addressed are as follows:

 

To fix these vulnerabilities, install the out of band updates released as soon as possible. Initiate a sync between the Central Patch Repository and the Patch Manager Plus server. Once synced, search for the following Patch IDs and deploy them to your target systems.


 Patch ID
 Bulletin ID
 Patch Description
 30930
 MS21-FEB18
 Security Update For Exchange Server 2013 CU23 (KB5000871)
 30931
 MS21-FEB18
 Security Update For Exchange Server 2016 CU18 (KB5000871)
 30932
 MS21-FEB18
 Security Update For Exchange Server 2016 CU19 (KB5000871)
 30933
 MS21-FEB18
 Security Update For Exchange Server 2019 CU7 (KB5000871)
 30934
 MS21-FEB18
 Security Update For Exchange Server 2019 CU8 (KB5000871)
 30935
 MS21-FEB18
 Update Rollup 32 For Exchange 2010 SP3 (KB5000978)
 31069
 MS21-MAR8 Security Update For Exchange Server 2016 CU14 (KB5000871)
 31070
 MS21-MAR8 Security Update For Exchange Server 2016 CU15 (KB5000871)
 31071
 MS21-MAR8 Security Update For Exchange Server 2016 CU16 (KB5000871)
 31072
 MS21-MAR8 Security Update For Exchange Server 2019 CU4 (KB5000871)
 31073
 MS21-MAR8 Security Update For Exchange Server 2019 CU5 (KB5000871)
 31074
 MS21-MAR8 Security Update For Exchange Server 2019 CU6 (KB5000871)
 31075 
 MS21-MAR8 Security Update For Exchange Server 2013 CU21 (KB5000871)
 31076
 MS21-MAR8 Security Update For Exchange Server 2013 CU 22 (KB5000871)
 31077
 MS21-MAR8 Security Update For Exchange Server 2016 CU12 (KB5000871)
 31078
 MS21-MAR8 Security Update For Exchange Server 2016 CU13 (KB5000871)
 31079
 MS21-MAR8 Security Update For Exchange Server 2016 CU17 (KB5000871)
 31080
 MS21-MAR8 Security Update For Exchange Server 2019 CU3 (KB5000871)
 31081
 MS21-MAR8 Security Update For Exchange Server 2016 CU10 (KB5000871)
 31082
 MS21-MAR8 Security Update For Exchange Server 2016 CU11 (KB5000871)
 31083
 MS21-MAR8 Security Update For Exchange Server 2019 RTM (KB5000871)
 31084
 MS21-MAR8 Security Update For Exchange Server 2019 CU1 (KB5000871)
 31085
 MS21-MAR8 Security Update For Exchange Server 2019 CU2 (KB5000871)
 31086
 MS21-MAR8 Security Update For Exchange Server 2016 CU8 (KB5000871)
 31087
 MS21-MAR8 Security Update For Exchange Server 2016 CU9 (KB5000871)

Note: The patches mentioned here will only be applicable if the respective cumulative updates have already been installed.

For example: Patch 30930 will only be shown missing in systems that have Exchange Server 2013 installed and the Cumulative Update 23 (CU 23) installed.

Cheers,

The ManageEngine Team