🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
| Category | Vulnerability Intelligence |
| Vulnerability Class | Remote Code Execution (RCE Vulnerability) |
| CVE ID | CVE-2021-31206 |
| CVSS:3.0 Score | 7.6 High-Risk |
| Target | Windows Server 2019/2016/2013 |
| Reference | *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- CVE-2021-31206 is an unauthenticated RCE vulnerability targeting MS Exchange servers that enable attackers to compromise Internet-facing instances.
- The zero-day vulnerability is being actively exploited by threat actors to target Windows users.
- This vulnerability can be exploited to run arbitrary code in the target system. However, it requires an authenticated user, in a specific exchange role, to be compromised.
Analysis
Technical Details
- CVE-2021-31206 is a flaw in the parsing of archive-file format for Microsoft Windows or CAB(Cabinet) files.
- When handling filenames specified within a CAB file, the process does not properly validate a user-supplied path prior to using it in file operations.
- An attacker can leverage this, in conjunction with other vulnerabilities, to execute arbitrary code in the context of SYSTEM.
Affected Platforms
| Windows Platform | Build Version |
| Windows Server | 2013/ CU23/2016 CU20/2016 CU21/2019 CU10 |
Information from Cybercrime Forums
CloudSEK’s Threat Intelligence Research team has observed that the exploit code for this vulnerability is available with multiple threat actors and is being actively exploited by following threat groups:- Ransomware Operators
- Advanced Persistent Threats
- Access Brokers
Impact & Mitigation
Impact
- RCE vulnerabilities allow attackers to execute commands and gain control over victims' systems.
- Attackers can use RCE in vulnerable Exchange servers to get initial access to internal networks.
- Attackers can then laterally move across internal networks to further the attack by deploying ransomware or by exfiltrating critical information.
Mitigation
Patches for various Microsoft Exchange product versions were released on 13 July 2021:| Product | Article |
| Microsoft Exchange Server 2019 Cumulative Update 10 | 5004780 |
| Microsoft Exchange Server 2016 Cumulative Update 21 | 5004779 |
| Microsoft Exchange Server 2013 Cumulative Update 23 | 5004778 |
| Microsoft Exchange Server 2016 Cumulative Update 20 | 5004779 |
| Microsoft Exchange Server 2019 Cumulative Update 9 | 5004780 |
