As the German BSI announced in a current publication (CSW # 2021-197772-1632), four vulnerabilities were closed in MS Exchange on the night of Wednesday, 3-March-2021, which were already used in combination for targeted attacks and perpetrators offered the possibility of accessing data or installing additional malware.
The vulnerabilities are:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send HTTP requests and authenticate themselves on the Exchange server.
- CVE-2021-26857 is a vulnerability in the Unified Messaging Service. User-specific data are deserialized by a program. This enables any program code to be executed as a SYSTEM user on the Exchange server. This requires administrator rights or the exploitation of a corresponding further vulnerability.
- CVE-2021-26858 and CVE-2021-27065 are vulnerabilities with which – after authentication – arbitrary files can be written on the Exchange server. The authentication can take place e.g. via CVE-2021-26855 or expired administrator access data.
As the Computer Emergency Response Team Austria reports, 1074 active MS Exchange servers are still unpatched and therefore still represent a significant security risk (https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-exchange-schwachstellen-in-osterreich– German only).
The German BSI is also extremely critical of the IT threat situation, as over one hundred thousand Exchange servers around the world have already been compromised. In Germany alone tens of thousands of systems are affected – including at least six federal authorities – and the trend is rising. According to the BSI, at least 26,000 Exchange servers in Germany that can be accessed directly from the Internet are currently particularly vulnerable. These “should be assumed to be compromised”. The security gaps are used, among other things, to encrypt data on the affected server for the purpose of blackmail, on the other hand as a bot network participant with innumerable possibilities and after-effects.
As part of these findings, the security of grammm was audited and it was made clear that grammm is not affected by these security gaps and has never been at any time. Grammm is convinced that the deep integration of MS Exchange in the Windows API subsystem and process system has had these serious consequences.
By default, grammm always makes its services and interfaces available using non-system privileged (unprivileged) users. In addition to the classic Linux on-board tools for the security architecture, this offers an additional barrier to protect against such profound operating system takeovers.
grammm thus offers a more secure alternative to MS Exchange, whether on-premise or with one of our hosting partners.
Feel free to contact us.