Two Guys and an Opinion
'Solarwinds123'?
Info
Two Guys and an Opinion
'Solarwinds123'?
Mar 05, 2021 Season 1 Episode 7
The RANt Group

With the fallout of the Solarwinds breach continuing to grab the headlines, we discuss the concept of 'supply-chain compromise' and why it's such a favoured attack vector.

Also covered is the highly sophisticated zero-day exploit chaining attack perpetrated by a Chinese state-sponsored group called HAFNIUM against on-premise MS Exchange servers.

Oh, and Richard craves a beer-garden.....

Show notes:

As mentioned in this episode, the critical MS Exchange CVEs are:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Also included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:


Share