<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:182861571;
mso-list-template-ids:1043634602;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:246766545;
mso-list-template-ids:1360854438;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:722559257;
mso-list-template-ids:2023522496;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3
{mso-list-id:1547332913;
mso-list-template-ids:-1936575174;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Thanks April,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">And Chris, <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My team was on it as soon as we found out.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kelly <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">Kelly McClure<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">Director of Information Technology Services<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">Cameron University<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">2800 West Gore Boulevard<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">Lawton, Oklahoma 73505<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">E-Mail:
</span><span style="font-family:"Arial",sans-serif;color:black"><a href="mailto:kmcclure@cameron.edu"><span style="font-size:9.0pt;color:black">kmcclure@cameron.edu</span></a></span><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D"><img border="0" width="52" height="46" style="width:.5416in;height:.4791in" id="Picture_x0020_1" src="cid:image001.jpg@01D711D8.288B1290" alt="cid:image001.png@01D12C22.15C33580"></span><span style="color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> CoIT-Security <coit-security-bounces@lists.onenet.net>
<b>On Behalf Of </b>Goode, April via CoIT-Security<br>
<b>Sent:</b> Friday, March 5, 2021 3:50 PM<br>
<b>To:</b> Kosciuk, Chris <ckosciuk@osrhe.edu>; Royal, Von <von@onenet.net>; Burkhart, Brian <brian@onenet.net>; 'coit-security@lists.onenet.net' <coit-security@lists.onenet.net><br>
<b>Cc:</b> Goode, April <april@onenet.net><br>
<b>Subject:</b> Re: [CoIT-Security] MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Microsoft Exchange Server Could Allow for Arbitrary Code Execution - PATCH: NOW - TLP: WHITE<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good afternoon – Here is an update from Chris on this advisory.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div id="divtagdefaultwrapper">
<p><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p><span style="font-size:12.0pt;color:black">Update: Critical Updates for Microsoft Exchange Server<o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p><span style="font-size:12.0pt;color:black">We strongly encourage all on-premise exchange customers to patch immediately and follow Microsoft guidance for investigating previous exposure. <o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p style="margin-bottom:12.0pt"><span style="font-size:12.0pt;color:black"><a href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/">https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/</a><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-062a">https://us-cert.cisa.gov/ncas/alerts/aa21-062a</a><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p><span style="font-size:12.0pt;color:black">CK<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;color:black">
<hr size="2" width="98%" align="center">
</span></div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span style="color:black"> Goode, April<br>
<b>Sent:</b> Thursday, March 4, 2021 7:37 AM<br>
<b>To:</b> Kosciuk, Chris; 'coit-security@lists.onenet.net'<br>
<b>Cc:</b> Royal, Von; Burkhart, Brian; Thigpen, Nick<br>
<b>Subject:</b> RE: MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Microsoft Exchange Server Could Allow for Arbitrary Code Execution - PATCH: NOW - TLP: WHITE</span><span style="font-size:12.0pt;color:black">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p><span style="color:black">Good morning,<o:p></o:p></span></p>
<p><span style="color:black"> <o:p></o:p></span></p>
<p><span style="color:black">We are sharing this advisory from MS-ISAC. If you have any questions about it, please let us know.<o:p></o:p></span></p>
<p><span style="color:black"> <o:p></o:p></span></p>
<p><span style="color:black">Thanks,<o:p></o:p></span></p>
<p><b><span style="color:#2F5496">April Goode, MBA, SPP<br>
</span></b><span style="color:#2F5496">Director of OneNet Strategic Planning and Communications<br>
Oklahoma State Regents for Higher Education<br>
405.225.9251<br>
<a href="mailto:april@onenet.net" target="_blank">april@onenet.net</a></span><span style="color:black"><o:p></o:p></span></p>
<p><span style="color:black"> <o:p></o:p></span></p>
<div id="divtagdefaultwrapper">
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;color:black">
<hr size="2" width="98%" align="center">
</span></div>
<div id="divRplyFwdMsg">
<p><span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<div>
<p><span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p align="center" style="text-align:center"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">TLP: WHITE</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p align="center" style="text-align:center"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">MS-ISAC CYBERSECURITY ADVISORY</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">MS-ISAC ADVISORY NUMBER:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">2021-030</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DATE(S) ISSUED:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">03/02/2021</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">SUBJECT:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Multiple Vulnerabilities in Microsoft Exchange Server Could Allow for Arbitrary Code Execution </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">OVERVIEW:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Multiple vulnerabilities have been discovered in Microsoft Exchange Server (on premises version) , the most severe of which could allow for arbitrary code execution. Microsoft Exchange
Server is a mail server used to run and manage an organization’s email services. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the mail server. Depending on the privileges
associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was
configured with administrative rights.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">THREAT INTELLIGENCE:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Microsoft has detected the threat actor HAFNIUM exploiting these vulnerabilities. HAFNIUM primarily targets entities in the United States across a number of industry sectors, including
infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. For more information on this threat actor and the details of the observed attacks please visit the Microsoft URL in the reference section.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">SYSTEMS AFFECTED:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-family:"Arial",sans-serif;color:black">Microsoft Exchange Server 2010 RU31 for Service Pack 3</span><span style="color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-family:"Arial",sans-serif;color:black">Microsoft Exchange Server 2013 CU 23</span><span style="color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-family:"Arial",sans-serif;color:black">Microsoft Exchange Server 2016 CU 18, CU 19</span><span style="color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-family:"Arial",sans-serif;color:black">Microsoft Exchange Server 2019 CU 7, CU 8</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">RISK:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Government:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo3"><span style="font-family:"Arial",sans-serif">Large and medium government entities:<b> High</b></span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo3"><span style="font-family:"Arial",sans-serif">Small government entities: <b>High</b></span><o:p></o:p></li></ul>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Businesses:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;mso-list:l3 level1 lfo6"><span style="font-family:"Arial",sans-serif">Large and medium business entities: <b>High</b></span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-list:l3 level1 lfo6"><span style="font-family:"Arial",sans-serif">Small business entities: <b>High</b></span><o:p></o:p></li></ul>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Home users: Low</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">TECHNICAL SUMMARY:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Multiple vulnerabilities have been discovered in Microsoft Exchange Server, the most severe of which could allow for arbitrary code execution. These vulnerabilities can be exploited
remotely if an attacker locates a vulnerable server. Details of the vulnerabilities are as follows:</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-family:"Arial",sans-serif;color:black">A server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. [CVE-2021-26855]</span><span style="color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-family:"Arial",sans-serif;color:black">An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability
gives an the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit. [CVE-2021-26857]</span><span style="color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-family:"Arial",sans-serif;color:black">A post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path
on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. [CVE-2021-26858]</span><span style="color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-family:"Arial",sans-serif;color:black">A post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path
on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. [CVE-2021-27065]</span><span style="color:black"><o:p></o:p></span></p>
<p style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the mail server. Depending on the privileges
associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was
configured with administrative rights.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">RECOMMENDATIONS:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">We recommend the following actions be taken:</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:12.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Apply the stable channel update provided by Microsoft to vulnerable systems immediately after appropriate testing.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:12.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:12.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:12.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p style="text-indent:-.25in"><span style="font-size:12.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;font-family:"Times New Roman",serif;color:black">
</span><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Apply the Principle of Least Privilege to all systems and services.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">REFERENCES:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Microsoft:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"><a href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"><span style="color:#0563C1">https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/</span></a></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Microsoft Security Response Center:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"><a href="https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/"><span style="color:#0563C1">https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/</span></a></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">CVE:</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855"><span style="color:#0563C1">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855</span></a></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26857"><span style="color:#0563C1">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26857</span></a></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858"><span style="color:#0563C1">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858</span></a></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065"><span style="color:#0563C1">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065</span></a></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p align="center" style="text-align:center"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">TLP: WHITE</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p align="center" style="text-align:center"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.<br>
</span></b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.us-cert.gov/tlp" target="_blank"><b><span style="color:black;text-decoration:none">http://www.us-cert.gov/tlp/</span></b></a></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<p><span style="font-size:12.0pt;color:black">This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments
is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
<br>
<br>
. . . . . </span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>