Exchange Vulnerabilities Patch Today

Microsoft has released patches for multiple exchange vulnerabilities this patch tuesday. This should be an “urgent patch” for all CISO and security teams given exchange has been highly targeted by ransomware and malicious actors. Additionally enabling “Extended Protection” can provide additional protection.

As CISO we should consider a migration plan to Office365 or an alternative email solution given the history of exchange vulnerabilities. Email is a critical business function where information disclosure and service availability are risks which may out weight the ability to control data and own email data end-to-end.

Information disclosure bug in Microsoft Exchange.

Risk: High

CCVSS Score: 7.6

CVE: CVE-2022-30134

Description:

An exploit would require convincing a user with an affected version of Exchange Server to access a malicious server, which would then allow the attacker to read targeted email messages. Turning on Extended Protection for Exchange Server prevents this attack.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134

Affected:

Exchange Server 2013, 2016, 2019 (2010 is end of life and should be removed from service)

Action:

Apply the latest Cumulative Update and Enable Extended Protection

Critical Privilege Escalation Bug Exchange Server

Risk: Critical

CCVSS Score: 8.0

CVE: CVE-2022-24516, CVE-2022-21980, CVE-2022-24477

Description:

There’s also a trio of critical Exchange Server escalation of privilege bugs, where all three received CVSS 8.0 score and could allow unauthenticated users to take over mailboxes on the server.

Affected:

Exchange Server 2013, 2016, 2019 (2010 is end of life and should be removed from service)

Action:

Apply the latest Cumulative Update