Jul 15, 2021

Microsoft Exchange Server – Critical vulnerabilities patched.

Participants in the 2021 Pwn2Own hacking contest have identified previously unknown vulnerabilities in Microsoft Exchange Server, including remote code execution, privilege escalation, and information disclosure flaws. Microsoft has already published security updates to resolve these issues.

The vulnerabilities affect Microsoft Exchange Server 2013 and up. Older versions of Microsoft Exchange Server are likely also impaired, but this is as yet unconfirmed. The vulnerabilities have been evaluated to be critical A NIST evaluation of the flaws is outstanding.

The newly identified vulnerabilities CVE-2021-33766, CVE-2021-34473 and CVE-2021-34523 had already been fixed via the security update published in April 2021.

The other newly identified vulnerabilities CVE-2021-31196, CVE-2021-31206, CVE-2021-33768 and CVE-2021-34470 can be fixed via the security update published by Microsoft on 13 July 2021.

Version

CVE

Link

Microsoft Exchange Server 2019 Cumulative Update 10

CVE-2021-31196

CVE-2021-31206

CVE-2021-33768

microsoft.com

Microsoft Exchange Server 2019 Cumulative Update 10

CVE-2021-34470

microsoft.com

Microsoft Exchange Server 2019 Cumulative Update 9

CVE-2021-31196

CVE-2021-31206

CVE-2021-33768

microsoft.com

Microsoft Exchange Server 2019 Cumulative Update 9

CVE-2021-33766

CVE-2021-34473

CVE-2021-34523

microsoft.com

Microsoft Exchange Server 2019 Cumulative Update 8

CVE-2021-33766

CVE-2021-34473

CVE-2021-34523

microsoft.com

Microsoft Exchange Server 2016 Cumulative Update 21

CVE-2021-31196

CVE-2021-31206

CVE-2021-33768

microsoft.com

Microsoft Exchange Server 2016 Cumulative Update 21

CVE-2021-34470

microsoft.com

Microsoft Exchange Server 2016 Cumulative Update 20

CVE-2021-31196

CVE-2021-31206

CVE-2021-33768

microsoft.com

Microsoft Exchange Server 2016 Cumulative Update 20

CVE-2021-33766

CVE-2021-34473

CVE-2021-34523

microsoft.com

Microsoft Exchange Server 2016 Cumulative Update 19

CVE-2021-33766

CVE-2021-34473

CVE-2021-34523

microsoft.com

Microsoft Exchange Server 2013 Cumulative Update 23

CVE-2021-31196

CVE-2021-31206

CVE-2021-34470

microsoft.com

Microsoft Exchange Server 2013 Cumulative Update 23

CVE-2021-33766

CVE-2021-34473

CVE-2021-34523

microsoft.com

We recommend deploying these security updates as soon as possible. Whether these vulnerabilities can be traced to the Hafnium hacker group is not currently known. 

We are happy to help you with an external assessment of your systems. Should you require assistance or advice, please contact us at it-security@bechtle.com or speak with your Bechtle account manager.

Share article

Published on Jul 15, 2021.