Microsoft Exchange Server – Critical vulnerabilities patched

Microsoft Exchange Server – Critical vulnerabilities patched.

Participants in the 2021 Pwn2Own hacking contest have identified previously unknown vulnerabilities in Microsoft Exchange Server, including remote code execution, privilege escalation, and information disclosure flaws. Microsoft has already published security updates to resolve these issues.

The vulnerabilities affect Microsoft Exchange Server 2013 and up. Older versions of Microsoft Exchange Server are likely also impaired, but this is as yet unconfirmed. The vulnerabilities have been evaluated to be critical A NIST evaluation of the flaws is outstanding.

The newly identified vulnerabilities CVE-2021-33766, CVE-2021-34473 and CVE-2021-34523 had already been fixed via the security update published in April 2021.

The other newly identified vulnerabilities CVE-2021-31196, CVE-2021-31206, CVE-2021-33768 and CVE-2021-34470 can be fixed via the security update published by Microsoft on 13 July 2021.

Version	CVE	Link
Microsoft Exchange Server 2019 Cumulative Update 10	CVE-2021-31196 CVE-2021-31206 CVE-2021-33768	microsoft.com
Microsoft Exchange Server 2019 Cumulative Update 10	CVE-2021-34470	microsoft.com
Microsoft Exchange Server 2019 Cumulative Update 9	CVE-2021-31196 CVE-2021-31206 CVE-2021-33768	microsoft.com
Microsoft Exchange Server 2019 Cumulative Update 9	CVE-2021-33766 CVE-2021-34473 CVE-2021-34523	microsoft.com
Microsoft Exchange Server 2019 Cumulative Update 8	CVE-2021-33766 CVE-2021-34473 CVE-2021-34523	microsoft.com
Microsoft Exchange Server 2016 Cumulative Update 21	CVE-2021-31196 CVE-2021-31206 CVE-2021-33768	microsoft.com
Microsoft Exchange Server 2016 Cumulative Update 21	CVE-2021-34470	microsoft.com
Microsoft Exchange Server 2016 Cumulative Update 20	CVE-2021-31196 CVE-2021-31206 CVE-2021-33768	microsoft.com
Microsoft Exchange Server 2016 Cumulative Update 20	CVE-2021-33766 CVE-2021-34473 CVE-2021-34523	microsoft.com
Microsoft Exchange Server 2016 Cumulative Update 19	CVE-2021-33766 CVE-2021-34473 CVE-2021-34523	microsoft.com
Microsoft Exchange Server 2013 Cumulative Update 23	CVE-2021-31196 CVE-2021-31206 CVE-2021-34470	microsoft.com
Microsoft Exchange Server 2013 Cumulative Update 23	CVE-2021-33766 CVE-2021-34473 CVE-2021-34523	microsoft.com

We recommend deploying these security updates as soon as possible. Whether these vulnerabilities can be traced to the Hafnium hacker group is not currently known.

We are happy to help you with an external assessment of your systems. Should you require assistance or advice, please contact us at it-security@bechtle.com or speak with your Bechtle account manager.