CVE 2021-42321: Microsoft Exchange RCE Vulnerability: What We Know So Far


Were you aware !

What Happened

Security researcher Janggggg (@testanull on Twitter) published a proof-of-concept exploit for CVE-2021-42321, a remote code execution (RCE) vulnerability in Microsoft Exchange that affects on-premises servers running Microsoft Exchange 2016 and 2019, including those using Exchange Hybrid mode.

This exploit enables authenticated threat actors to execute code remotely on vulnerable servers and launch an attack.

Microsoft’s November 2021 Patch Tuesday addresses the vulnerability, so administrators should patch immediately.

How Bad is This?

A remote code execution vulnerability is always severe because it enables potential threat actors to launch attacks without local access to a machine. Microsoft issued a base metric score of 8.8, which notes high severity.

This vulnerability essentially is a bug in how Exchange allowed certain data to be stored in the BinaryData section of a UserConfiguration on a folder. When a UserConfiguration is set with a payload in the BinaryData and then the attacker requests a ClientAccessToken, it triggers a deserialization bug which results in execution of the payload in BinaryData.

Fortunately, Microsoft’s November patch will mitigate the risk. Plus, threat actors must be authenticated users to take advantage of the bug.

What Should I Do?

Administrators should immediately install the patches issued in Microsoft’s November Patch Tuesday.

Admins running Exchange servers should also check to see if attackers have attempted to exploit them. Admins can run the following PowerShell query on each server to check for specific events in the Event Log, according to Bleeping Computer:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

How To Detect

In the end this vulnerability and attack does not differ much from previous attacks in 2021. The attack itself has a set number of steps that must be run against an authenticated user, update specific configurations on that user, and then execute the actual vulnerability against the host itself.

This PoC attack requires execution of 4 POSTs in a chain against Exchange with an authenticated user to be successful. It is possible to detect this attack using the following logic, although it may have false positives without some tuning in your environment.

4 POSTs to /ews/exchange.asmx on IIS from a Public IP with User-Agent ExchangeServicesClient/15.01.2308.008 - over a short period of time. This detection will depend heavily on the User Agents seen in your environment and may result in false positives:

src_ip = 
 AND agent="ExchangeServicesClient/15.01.2308.008"
 AND url=""
 AND method="POST"

Otherwise we recommend using Sysmon to detect the same as other Exchange vulnerabilities. By their nature, they require the IIS/Exchange service w3wp.exe to be leveraged to pivot into another process. In these situations we expect to see patterns out of Sysmon process triggering such as:

user LIKE "%DefaultAppPool%"
 AND parent_process_name LIKE "%w3wp.exe%"
 AND process_name LIKE "%cmd%"

This will tell you whenever your w3wp (IIS) service is spawning command shells and/or similar processes within the process_name depending on the pivot you’re attempting to identify.

We will update this post as we find out more information.

This was originally published on Blumira's blog.

Let's not forget that camDown is a highly advanced, specialized webcam blocker and disabler with the best in class protection from variety of on-line threats and that's no lie.