CVE-2021-28481 Scanner
CVE-2021-28481 Scanner - Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
1 minute
Time Interval
8 days 21 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
Microsoft Exchange Server is widely used in organizations for email, calendaring, and other collaborative services. It is commonly deployed by IT administrators in enterprises of all sizes to manage email communications and scheduling. Exchange Server facilitates communication among corporate users and integrates with other enterprise systems. Its use spans multiple industries, including finance, healthcare, and government. Often managed on-premises with network access, its security is vital to prevent unauthorized access and data breaches. Administrators frequently update their servers with the latest patches to preserve integrity and availability.
The vulnerability allowing Server-Side Request Forgery (SSRF) can enable attackers to send crafted requests from the vulnerable system to unintended targets. This issue arises when the server misinterprets data requests without verifying their origin. It could lead to undesired actions executed in the server context. Attackers might exploit this to connect to internal services that would otherwise be inaccessible. The SSRF vulnerability in Exchange Server could further be a vector for additional vulnerabilities or data access. Attention to server configurations can mitigate this risk.
This SSRF vulnerability in Microsoft Exchange Server involves improper validation of privileged endpoint requests. The primary vulnerable endpoint is the server's ability to process requests incorrectly. By manipulating headers like 'X-BackEndCookie' and 'X-AnchorMailbox', an attacker could bypass normal access controls. The 'rawXor' variable, constructed through precise encoding techniques, plays a crucial role in crafting viable attack requests. Successful exploitation could imply leveraging of internal server connections which should only be accessible under authenticated scenarios. Protection involves relentless server updates and examination of internal request handling.
The exploitation of this SSRF vulnerability might lead an attacker to further threat actions, such as unauthorized data access. Malicious actors can potentially perform unauthorized operations inside the trusted network perimeter. There is the risk of data exposure or even execution of arbitrary code under certain conditions. Attackers could pivot and leverage additional vulnerabilities, leading to system compromise. The exploitation of this vulnerability could cause severe repercussions, such as data breaches or service disruption, impacting business operation.
REFERENCES
- https://sec.vnpt.vn/2021/04/microsoft-exchange-from-deserialization-to-post-auth-rce-cve-2021-28482
- https://hitcon.org/2021/agenda/279d7810-e619-4dc3-9113-b11bad5277ec/The%20Proxy%20Era%20of%20Microsoft%20Exchange%20Server.pdf
- https://www.youtube.com/watch?v=vn4niT9XEIM
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-28481
- https://nvd.nist.gov/vuln/detail/cve-2021-28481
