CVE-2021-28480 Scanner
CVE-2021-28480 Scanner - Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
1 minute
Time Interval
20 days 18 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
Microsoft Exchange Server is widely used by organizations to facilitate email communication, calendaring, and collaboration. It is deployed across many enterprise environments and can be hosted on servers in data centers or on cloud platforms. Exchange Server is primarily used by IT administrators, system administrators, and network engineers to manage emails and user information. It integrates with Active Directory for user authentication and supports multiple protocols like SMTP, IMAP, and MAPI. Exchange Server is also used for archiving and ensuring data compliance in professional settings.
The Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server enables attackers to manipulate a server application to make unauthorized requests to arbitrary domains. This type of vulnerability can lead to unauthorized access to sensitive data and system takeover. Attackers might exploit SSRF to scan internal networks, extract system information, and leverage other vulnerabilities present in infrastructure. Since the vulnerability bypasses traditional security protocols, it is a significant threat to the integrity of the organization's IT environment.
The vulnerable endpoint in this SSRF vulnerability involves the misuse of the 'OWA' component in Exchange Server where improper validation of header data allows an attacker to craft malicious requests. Attackers inject an 'X-BackEndCookie' header with crafted data to the server, which leads to undesirable actions being executed. The vulnerable parameter typically involves headers used in HTTP requests, and the technique involves XOR-encoding values to mask and alter data sent to the server. This vulnerability presents a vector for critical exploitation if unpatched and accessible.
If this vulnerability is exploited, malicious entities could compromise the entire server infrastructure that hosts Exchange Server. This could lead to unauthorized data access, data manipulation, and potential data breaches. Attackers might orchestrate lateral attacks, jumping from the Exchange Server to other internal services, leading to broader systems compromise. Additionally, attackers could exploit this to deploy ransomware or steal encrypted data for further attack campaigns.
REFERENCES
- https://sec.vnpt.vn/2021/04/microsoft-exchange-from-deserialization-to-post-auth-rce-cve-2021-28482
- https://hitcon.org/2021/agenda/279d7810-e619-4dc3-9113-b11bad5277ec/The%20Proxy%20Era%20of%20Microsoft%20Exchange%20Server.pdf
- https://www.youtube.com/watch?v=vn4niT9XEIM
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-28480
- https://nvd.nist.gov/vuln/detail/cve-2021-28480
