{"id":48,"date":"2021-11-11T21:00:44","date_gmt":"2021-11-11T21:00:44","guid":{"rendered":"https:\/\/www.bearlysecure.org\/V1\/?p=48"},"modified":"2021-11-11T21:00:44","modified_gmt":"2021-11-11T21:00:44","slug":"48-2","status":"publish","type":"post","link":"https:\/\/www.bearlysecure.org\/V1\/48-2\/","title":{"rendered":""},"content":{"rendered":"
\n
\n
\n
Important Note:<\/strong> This detection also relies on application logging being enabled on Exchange Servers.<\/p>\n\n\n\n
\n\n\n\n
\n\n\n\n\n
\n
On Tuesday, November 9, 2021, Microsoft released patches for two actively exploited vulnerabilities, CVE-2021-42321 in Microsoft Exchange, and CVE-2021-42292 in Microsoft Excel.<\/p>\n

CVE-2021-42321 is a post-authentication remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019. This specifically affects on-premises Microsoft Exchange Server and Exchange servers deployed in a hybrid model. Exchange online customers are not vulnerable.<\/p>\n

CVE-2021-42292 is a security bypass vulnerability in Microsoft Excel that could lead to local code execution via a specially crafted Excel file. Updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are currently not available.<\/p>\n

Microsoft has reported limited exploitation of these two vulnerabilities and have not released technical details regarding how these vulnerabilities work or which threat actors or campaigns are exploiting them. Public proof of concept exploit code for both vulnerabilities is not available at this time.<\/p>\n

We strongly recommend<\/strong> that customers running vulnerable versions of Microsoft Excel and Microsoft Exchange Server review the recommendations below and apply the latest security patches immediately.<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n

\n\n\n\n
\n\n\n\n\n
\n
 <\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
Recommendations<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
This section details recommendations that we suggests to remediate CVE-2021-42321 and CVE-2021-42292 and provide increased visibility into potential attack activity on Windows systems running Microsoft Exchange Server.<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
Recommendation #1: Patch Vulnerable Versions of Microsoft Exchange Server to Remediate CVE-2021-42321<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
\n\n\n\n
\n\n\n\n
\n
\n\n\n\n\n\n\n
Product<\/strong><\/td>\nMicrosoft Security Update Page<\/strong><\/td>\n<\/tr>\n
Microsoft Exchange Server 2019<\/td>\nCumulative Update 11: Security Update For Exchange Server 2019 CU11 (KB5007409)<\/a>
\nCumulative Update 10: Security Update For Exchange Server 2019 CU10 (KB5007409)<\/a><\/td>\n<\/tr>\n
Microsoft Exchange Server 2016<\/td>\nCumulative Update 22: Security Update For Exchange Server 2016 CU22 (KB5007409)<\/a>
\nCumulative Update 21: Security Update For Exchange Server 2016 CU21 (KB5007409)<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
NOTE:<\/strong> Microsoft has not indicated that CVE-2021-42321 impacts Microsoft Exchange Server 2013.<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
Recommendation #2: Patch Vulnerable Versions of Microsoft Excel to Remediate CVE-2021-42292<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
\n\n\n\n
\n\n\n\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Product<\/strong><\/td>\nMicrosoft Security Update Page<\/strong><\/td>\n<\/tr>\n
Microsoft Office 2013 Service Pack 1 (32-bit & 64-bit)<\/td>\nhttps:\/\/support.microsoft.com\/help\/5002035<\/a><\/td>\n<\/tr>\n
Microsoft Excel 2013 RT Service Pack 1<\/td>\nhttps:\/\/support.microsoft.com\/help\/5002035<\/a><\/td>\n<\/tr>\n
Microsoft Excel 2013 Service Pack 1 (64-bit editions)<\/td>\nhttps:\/\/support.microsoft.com\/help\/5002035<\/a>
\nhttps:\/\/support.microsoft.com\/help\/5002072<\/a><\/td>\n<\/tr>\n
Microsoft Office 2016 (32-bit & 64-bit)<\/td>\nhttps:\/\/support.microsoft.com\/help\/4486670<\/a><\/td>\n<\/tr>\n
Microsoft Excel 2016 (64-bit & 32-bit)<\/td>\nhttps:\/\/support.microsoft.com\/help\/5002056<\/a>
\nhttps:\/\/support.microsoft.com\/help\/4486670<\/a><\/td>\n<\/tr>\n
Microsoft Office LTSC 2021 for 32-bit & 64-bit<\/td>\nhttps:\/\/docs.microsoft.com\/en-us\/officeupdates\/microsoft365-apps-security-updates<\/a><\/td>\n<\/tr>\n
Microsoft 365 Apps for Enterprise for 32-bit & 64-bit<\/td>\nhttps:\/\/docs.microsoft.com\/en-us\/officeupdates\/office365-proplus-security-updates<\/a><\/td>\n<\/tr>\n
Microsoft Office 2019 for 32-bit & 64-bit<\/td>\nhttps:\/\/docs.microsoft.com\/en-us\/officeupdates\/microsoft365-apps-security-updates<\/a><\/td>\n<\/tr>\n
Microsoft Office LTSC for Mac 2021<\/td>\nNot Available from Microsoft at this time<\/td>\n<\/tr>\n
Microsoft Office 2019 for Mac<\/td>\nNot Available from Microsoft at this time<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
Recommendation #3: Run Microsoft Supplied PowerShell Command on All Exchange 2016 and 2019 Servers<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
\n\n\n\n\n
 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n\n
 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
 <\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
References<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n\n
\n
\n\n\n\n
\n\n\n\n
\n
If you have any additional questions, please reach out to you<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Important Note: This detection also relies on application logging being enabled on Exchange Servers. On Tuesday, November 9, 2021, Microsoft released patches for two actively exploited vulnerabilities, CVE-2021-42321 in Microsoft Exchange, and CVE-2021-42292 in Microsoft Excel. CVE-2021-42321 is a post-authentication remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019. This specifically affects on-premises… Read More »<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"bgseo_title":"","bgseo_description":"","bgseo_robots_index":"index","bgseo_robots_follow":"follow","neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-48","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/posts\/48","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/comments?post=48"}],"version-history":[{"count":1,"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/posts\/48\/revisions"}],"predecessor-version":[{"id":49,"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/posts\/48\/revisions\/49"}],"wp:attachment":[{"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/media?parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/categories?post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bearlysecure.org\/V1\/wp-json\/wp\/v2\/tags?post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}