Microsoft Exchange 3Ô¶à¸öÇå¾²Îó²î

Ðû²¼Ê±¼ä 2021-03-03

0x00 Îó²î¸ÅÊö

2021Äê03ÔÂ02ÈÕ£¬£¬£¬£¬£¬£¬£¬ £¬MicrosoftÐû²¼¹ØÓÚExchangeµÄÇå¾²¸üУ¬£¬£¬£¬£¬£¬£¬ £¬ÐÞ¸´ÁËExchangeÖеĶà¸öÇå¾²Îó²î ¡£¡£¡£¹¥»÷Õß¿ÉÒÔͨ¹ýÏòÄ¿µÄExchange Server·¢ËͶñÒâÊý¾Ý°üÀ´Ê¹ÓÃÕâЩÎó²î£¬£¬£¬£¬£¬£¬£¬ £¬×îÖÕ¿ÉÒÔÔÚÄ¿µÄϵͳÉÏÖ´ÐÐí§Òâ´úÂ룬£¬£¬£¬£¬£¬£¬ £¬¶øÎÞÐèÓû§½»»¥ ¡£¡£¡£


0x01 Îó²îÏêÇé

image.png

 

±¾´ÎÐÞ¸´µÄExchangeÎó²îÈçÏ£º

CVE ID

ÆÀ·Ö

Ó°Ïì

ÊÇ·ñÒѱ»Ê¹ÓÃ

CVE-2021-26855

9.1

¹¥»÷ÕßÄܹ»·¢ËÍí§ÒâHTTPÇëÇó²¢Í¨¹ýExchange   Server¾ÙÐÐÉí·ÝÑéÖ¤ ¡£¡£¡£

ÊÇ

CVE-2021-26857

7.8

¹¥»÷Õß¿ÉÒÔÔÚExchange ServerÉÏÒÔSYSTEMȨÏÞÔËÐдúÂë ¡£¡£¡££¨ÐèÖÎÀíԱȨÏÞ£©

ÊÇ

CVE-2021-26858

7.8

ExchangeÖб£´æÑéÖ¤ºóµÄí§ÒâÎļþдÈëÎó²î ¡£¡£¡£Í¨¹ýÑéÖ¤µÄ¹¥»÷Õß¿ÉÒÔʹÓôËÎó²î½«ÎļþдÈëЧÀÍÆ÷µÄÈκη¾¶ÖÐ ¡£¡£¡£Í¬Ê±£¬£¬£¬£¬£¬£¬£¬ £¬Í¨¹ýÅäºÏʹÓÃCVE-2021-26855 SSRFÎó²î¿ÉÒÔÆÆËðÖÎÀíÔ±µÄƾ֤À´¾ÙÐÐÉí·ÝÑéÖ¤ ¡£¡£¡£

ÊÇ

CVE-2021-27065

7.8

CVE-2021-26412

9.1

RCE

·ñ

CVE-2021-26854

6.6

RCE

·ñ

CVE-2021-27078

9.1

RCE

·ñ

 

ÆäÖУ¬£¬£¬£¬£¬£¬£¬ £¬CVE-2021-26855¡¢CVE-2021-26857¡¢CVE-2021-26858ºÍCVE-2021-27065Îó²î±»×÷Ϊ¹¥»÷Á´µÄÒ»²¿·Ö ¡£¡£¡£³õʼ¹¥»÷ÐèÒªÓëExchange Server 443¶Ë¿Ú½¨ÉèÅþÁ¬£¬£¬£¬£¬£¬£¬£¬ £¬¿ÉÒÔͨ¹ýÏÞÖÆ·ÇÐÅÈεÄÅþÁ¬£¬£¬£¬£¬£¬£¬£¬ £¬»òÉèÖÃVPN½«Exchange ServerÓëÍⲿ»á¼ûÍÑÀëÀ´±ÜÃâ³õʼ¹¥»÷£¬£¬£¬£¬£¬£¬£¬ £¬µ«ÈôÊǹ¥»÷ÕßÒѾ­ÓÐÁË»á¼ûȨÏÞ£¬£¬£¬£¬£¬£¬£¬ £¬»òÕß¿ÉÒÔÒÔÖÎÀíԱȨÏÞÔËÐжñÒâÎļþ£¬£¬£¬£¬£¬£¬£¬ £¬Ôò¿ÉÒÔ´¥·¢¹¥»÷Á´µÄÆäËü²¿·Ö ¡£¡£¡£

 

Ó°Ïì¹æÄ£

Exchange Server 2010

Exchange Server 2013

Exchange Server 2016

Exchange Server 2019

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚMicrosoftÒÑÐû²¼Ïà¹ØÇå¾²¸üУ¬£¬£¬£¬£¬£¬£¬ £¬¼øÓÚÎó²îµÄÑÏÖØÐÔ£¬£¬£¬£¬£¬£¬£¬ £¬½¨Ò龡¿ìÉý¼¶ÐÞ²¹£º

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

 

ÔÝʱ²½·¥

CVE-2021-26855

¿ÉÒÔͨ¹ýÒÔÏÂExchange HttpProxyÈÕÖ¾¾ÙÐмì²â£º

%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy

ͨ¹ýÒÔÏÂPowershell¿ÉÖ±½Ó¾ÙÐÐÈÕÖ¾¼ì²â£¬£¬£¬£¬£¬£¬£¬ £¬²¢¼ì²éÊÇ·ñÊܵ½¹¥»÷£º

Import-Csv -Path (Get-ChildItem -Recurse -Path ¡°$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy¡± -Filter ¡®*.log¡¯).FullName | Where-Object {  $_.AuthenticatedUser -eq ¡± -and $_.AnchorMailbox -like ¡®ServerInfo~*/*¡¯ } | select DateTime, AnchorMailbox

ÈôÊǼì²âµ½ÈëÇÖ£¬£¬£¬£¬£¬£¬£¬ £¬¿ÉÒÔͨ¹ýÒÔÏÂĿ¼»ñÈ¡¹¥»÷Õß½ÓÄÉÁËÄÄЩ»î¶¯£º

%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging

 

CVE-2021-26857

¸ÃÎó²îµ¥¶ÀʹÓÃÄѶȽϸߣ¬£¬£¬£¬£¬£¬£¬ £¬¿ÉʹÓÃÒÔÏÂÏÂÁî¼ì²âÈÕÖ¾ÌõÄ¿£¬£¬£¬£¬£¬£¬£¬ £¬²¢¼ì²éÊÇ·ñÊܵ½¹¥»÷ ¡£¡£¡£

Get-EventLog -LogName Application -Source ¡°MSExchange Unified Messaging¡± -EntryType Error | Where-Object { $_.Message -like ¡°*System.InvalidCastException*¡± }

 

CVE-2021-26858

ÈÕ־Ŀ¼£º

C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog

¿Éͨ¹ýÒÔÏÂÏÂÁî¾ÙÐпìËÙä¯ÀÀ£¬£¬£¬£¬£¬£¬£¬ £¬²¢¼ì²éÊÇ·ñÊܵ½¹¥»÷£º

findstr /snip /c:¡±Download failed and temporary file¡± ¡°%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log¡±

 

CVE-2021-27065

¿Éͨ¹ýÒÔÏÂpowershellÏÂÁî¾ÙÐÐÈÕÖ¾¼ì²â£¬£¬£¬£¬£¬£¬£¬ £¬²¢¼ì²éÊÇ·ñÔâµ½¹¥»÷:

Select-String -Path ¡°$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log¡± -Pattern ¡®Set-.+VirtualDirectory¡¯

 

 

0x03 ²Î¿¼Á´½Ó

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

 

0x04 ʱ¼äÏß

2021-03-02  MSRCÐû²¼Ç徲ͨ¸æ

2021-03-03  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png