This week there have been several exploits published that target recently published (and patched) vulnerabilities in Microsoft Exchange Server and Windows 10/11 systems.

Coming just a week after Microsoft published patches for these vulnerabilities, already proof of concept code has been made available on GitHub and threat actors have started targeting the exploits hoping to compromise systems before victims have been able to arrange to install the security patches from Microsoft.  The window of time from the publication of a vulnerability to when it starts been targeted by malicious activity is known as the mean time to inventory and it has been reducing rapidly.  This places increasing pressure on system administrators who have less time to validate and test patches before the vulnerabilities they address come under attack.

Microsoft Exchange Remote Code Execution

In this month’s Patch Tuesday security bundle, Microsoft delivered a patch to address CVE-2021-42321 which is a post authentication attack affecting on premise and hybrid deployments of Exchange Server.   This week proof of concept code showing how to exploit this vulnerability was published on GitHub making it easier for threat actors to attempt to attack unpatched servers (and they have already).

To check if your Exchange Server has been compromised before being patched, you can search for Indicators of Compromise in your logs where the Net BinaryFormatter has been abused:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

Interestingly, Microsoft’s own documentation for the .Net BinaryFormatter warns:

The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they’re processing to be trustworthy. BinaryFormatter is insecure and can’t be made secure.

Windows Elevation of Privilege PoC released

This week saw another proof of concept released, this time for a recently published elevation of privilege vulnerability in Windows 10/11 + Server systems.

CVE-2021-41379 is a vulnerability in the Windows Installer and while a patch was included in the November security updates from Microsoft, the patch has been reverse engineered and found to be flawed.  Now a new zero-day exploit has been released on GitHub by the security researcher who reported the original vulnerability to Microsoft.  Cisco’s Talos research team has detected malware attempting to exploit this vulnerability within 24 hours of the proof of concept being published.

Threat actors can use this vulnerability in order to grant themselves administrator rights on a system they have already gained access to – so it is useful tool in the chain of vulnerabilities used to compromise a system or network.