By Randy Becker, VP & Principal Security Architect

Microsoft April 2021 Patch Tuesday brings us 4 critical on-premises Exchange RCE CVEs, 2 with a base CVSS Score of 9.8 out of 10 with no privileges required, 1 with a CVSS Score of 9 with an attack vector adjacent with low privileges required, and 1 with an 8.8 and low privileges required.

These significant vulnerabilities should be patched ASAP

These impact on-premises Exchange Server versions 2013, 2016, and 2019. Note that the Exchange updates released in March of 2021 do not remediate against these new vulnerabilities announced today. These are significant vulnerabilities that should be patched as soon as possible following your normal change and testing processes. Is it time to enhance your vulnerability management program to deal with vulnerabilities like these and out of band zero-day vulnerabilities? The answer of course is Yes.

Patching instructions and further reading on the threat

The latest patches can be viewed on the Microsoft Security Response Center (MSRC) website. KB5001779 takes you to the 4 new Exchange RCE vulnerabilities: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483. As usual, you must follow the instructions on this page or you may run into problems with the updates just like in last month’s updates.

How long before a POC exploit is made public?

It does not look like there is evidence of exploitation in the wild yet but exploitation is likely. Given the exploits we saw associated with the previous Exchange on-premises vulnerabilities, organizations are strongly recommended to prioritize installing the latest updates. It also looks like there are a few critical severity RCE vulnerabilities impacting all supported versions of Windows. The same process goes with these per usual patching.

Important steps we should all be taking

• Follow proper change control process

• Test your patches before rolling into production

• Ensure you have immutable backups of all systems—that way if the worst happens you have a method of recovering.

• If you have an on-premises Microsoft Exchange Server, regardless of whether it’s exposed to the Internet or not, patch it!

• Ask yourself if now is the time to consider a move to Microsoft Online Exchange?

If you have an on-premises Microsoft Exchange Server and need help patching or would like to implement immutable backups or create an Incident Response Plan, reach out to your GreenPages Account Manager or reach out to us!

Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation. Randy is also a HITRUST Certified CSF Practitioner (CCSFP) which ensures clients have access to the highest level of expertise related to privacy, security, compliance, and risk management.