Severity

High

Analysis Summary

CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass.

CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend

CVE-2021-34473 – Post-auth Arbitrary-File-Write leads to RCE

After complete exploitation of Microsoft exchange Servers, attackers are setting down web shells that are helping them to execute other malicious programs for the elevation of privileges LockFile ransomware manipulates Microsoft Exchange ProxyShell and Windows PetitPotam vulnerabilities to take over Windows domains and encrypt devices. This LockFile ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the Recovery_Instructions.html files in every folder which contains encrypted files.

Impact

• Bypass Security
• Code Execution
• Privilege Escalation

Affected Vendors

Microsoft

Affected Products

Microsoft Exchange Servers

Indicators of Compromise

MD5

• bc70a7b384558cafbbc04f00a59cbe8d
• 8ed32ace2fbce50296d3a1a16d963ba7
• 8d17765168677ef76400b497fb0c0fd3
• 335b9a537a380ec5936a7210ad64d955

SHA-256

• 36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9
• 5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f
• 1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b7
• 7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd

SHA1

• b8d1b1b4b759c4380293537fc4cc3622fffbd52e
• 11ce3d5e6e3451d059f65c4676145020d42c3835
• 32f7064bd6f740041ddd1d819a667b12d6c24a28
• c17b605ad2630869e063ffc575c36c5b6c8f853a

Remediation

Microsoft has issued an update to correct this vulnerability. More details can be found at:
For CVE-2021-31207
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207
For CVE-2021-34523
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
For CVE-2021-34473
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473