Detecting Microsoft Exchange CVE-2021–26855 vulnerability using OWASP Nettacker

Sam Stepanyan
7 min readMar 17, 2021

--

The whole month of March 2021 has been a crazy one in the world of cybersecurity.
Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China code-named HAFNIUM and these vulnerabilities appear to have been adopted by other cyberattackers in widespread attacks.

According to Microsoft there are currently about 82,000 MS Exchange servers still vulnerable.

The are are 4 vulnerabilities used by these cyberattacks:

  • CVE-2021–26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
  • CVE-2021–26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
  • CVE-2021–26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
  • CVE-2021–27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.

If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and further malware deployment. However it is the first vulnerability in the attack chain:
CVE-2021–26855 which opens doors to all other vulnerabilities — it is the most important one to detect the presence of.

Please Note that Patches have been released by Microsoft and a one-click mitigation tool is available .

Unprotected MS Exchange servers need to urgently be updated before they’re discovered by cybercriminals. How do you know if you have any vulnerable MS Exchange Servers in your network?

In order to patch/apply mitigation to your vulnerable MS Exchange servers you need to be able to find them first! IT Asset inventory is a big problem in information security/cyber security nowadays as it is the devices/services/servers you don’t know about which pose the biggest risk!

OWASP Nettacker — a free and open-source tool from OWASP to the rescue! Since Wednesday 17th March 2021 it has been updated with a module which allows detection of vulnerable Exchange servers. You can launch this tool on your network IP ranges or domain name to discover the vulnerable servers.

DISCLAIMER: OWASP Nettacker is as an offensive security tool for assisting with recon/information gathering/vulnerability scanning/penetration testing tasks. Use it with caution only on networks and servers you own and have permission to scan

Please note that many cybersecurity vendors are currently offering to scan your network for this vulnerability only if you become their subscribers on commercial basis.

Please also note that Microsoft has released a free scanning tool implemented using Powershell here as well as an Nmap Script http-vuln-cve2021–26855.nse . However these tools have certain limitations and require certain skills. If you are not comfortable using these scripts OWASP Nettacker can help. Nettacker even has a docker version and a Web User Interface to help you to scan your network for vulnerabilities for free in the most user-friendly way.

OWASP Nettacker project can help you address the task of scanning multiple servers for this vulnerability as well as the task of finding the vulnerable servers in your network.

What is OWASP Nettacker? OWASP Nettacker in a nutshell is a Swiss Army Knife for Reconnaissance & Vulnerability Scanning — it is a relatively new OWASP project written in Python consisting of multiple modules which can be used from the single command line (use one or a combination of modules) against a target or a list of targets to perform an information gathering scan or a vulnerability detection scan.

Downloading and running OWASP Nettacker using Python

I usually run OWASP Nettacker on my KALI Linux VM, but because OWASP Nettacker is written in Python it can be run on any Linux/Mac/Windows system — provided you have Python2 or Python3 installed. Nettacker currently supports Python version 2.7, 3.6, 3.7 and 3.8. Some functionality can be broken in Python 3.9 so it is not recommended yet. You can use a tool like pyenv to switch between different versions of Python

You can install OWASP Nettacker by doing a ‘git clone https://github.com/OWASP/Nettacker’ from GitHub and installing the Python dependencies using a single command like this:

git clone https://github.com/OWASP/Nettacker.git && cd Nettacker && pip install -r requirements.txt

If you hit any issues please check the Installation section in the OWASP Nettacker Wiki here:

Running a Nettacker Scan from the Command Line

Once OWASP Nettacker is installed change directory to Nettacker:

cd Nettacker

Now you can run the tool using Python specifying that you need the module msexchange_cve_2021_26855_vuln in -m command line switch and your target (IP/IP range/FQDN) in -i like this:

python nettacker.py -i <target> -m msexchange_cve_2021_26855_vuln

to scan a single IP address (xxx.xxx.xxx.xxx):

python nettacker.py -i xxx.xxx.xxx.xxx -m msexchange_cve_2021_26855_vuln

However if you don’t know how many Exchange servers you have and their precise IP addresses you can use OWASP Nettacker to scan a whole IP range (e.g. xxx.xxx.xxx.xxx/24):

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m msexchange_cve_2021_26855_vuln

If you don’t know the IP address ranges of your network but do know that Exchange servers have subdomains (e.g. owa.mycompany.com, exchange.mycompany.com, mail.mycompany.com etc) you can ask Nettacker to enumerate subdomains and test them for MS Exchange vulnerability like this (please note the -s command like switch which instructs Nettacker to discover the subdomains of the domain name listed in the -i ):

python nettacker.py -i mycompany.com -s -m msexchange_cve_2021_26855_vuln

If you have the list of IPs/FQDNs of your networks saved in a file called list.txt (one line per IP or FQDN) you can scan all the servers in your list using the -l command line switch:

python nettacker.py -l list.txt -m msexchange_cve_2021_26855_vuln

If you would like to save the OWASP Nettacker report in JSON format instead of the default HTML format you can specify the report output filename using the -o command line switch (-o report.json) for example

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m msexchange_cve_2021_26855_vuln -o report.json

OWASP Nettacker is also capable of reporting in CSV format which is very handy as it can be opened and processed with Microsoft Excel — simply specify the report output filename with a .csv extension using the -o command line switch (-o report.csv) for example

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m msexchange_cve_2021_26855_vuln -o report.csv

It is also possible to run Nettacker using Docker:

Running Nettacker Scan with Docker & WebUI

The easiest way to run Nettacker is with Docker. This way you will avoid installing multiple Python dependencies and resolving library/Python version incompatibilities.

Here is how to do it :

git clone https://github.com/OWASP/Nettacker.git && cd Nettacker
docker-compose up

Wait for docker-compose to finish downloading & building the service.You will see a screen like this:

Grab the API key (copy it) and open your browser and navigate to https://127.0.0.1:5000 (accept security warnings)

You will see the OWASP Nettacker Web UI:

Paste the API Key (you have just copied) into the API Key box on the right and click the ‘Set Session’ button:

Now click on the New Scan button and in the Targets box type the target you want to scan (e.g. an IP range like 10.63.11.0/24) and tick the box for vulnerability msexchange_cve_2021_26855:

Now scroll down and click the Submit button:

Click the ‘Results’ button and wait for the results to appear on the list. You might need to click on the Last Update button several times until the results appears — it might take a few minutes depending on the number of servers Nettacker needs to scan. Click on the results and they will be shown in a table like this:

the image is redacted to protect the identity of not yet patched servers

That’s it! I hope you enjoyed using OWASP Nettacker!

I presented OWASP Nettacker at several conferences — you can find slides and videos on YouTube.

OWASP Nettacker, as an open-source project, promotes responsible and ethical use of its tools and modules. Security professionals utilising Nettacker should always ensure they have proper authorisation and follow applicable laws, regulations, and ethical guidelines when performing any form of security scanning/testing.

What to do if you’ve already been compromised

The United States Government Cybersecurity and Infrastructure Security Agency has created a victim response guide specifically for the Microsoft Exchange flaw CVE-2021–26855.

The guide, known as CISA Alert AA21–062A, explains how to conduct a forensic analysis to assist remediation efforts.

To respond more efficiently to this current Exchange threat and all future cyber threats, it’s important to have a clear and up-to-date Incident Response Plan (IRP).

To assist with the development of a highly-effective Incident Response Plan, refer to CISA Alert AA20–245A.

Follow me on Twitter: https://twitter.com/securestep9

--

--

Sam Stepanyan
Sam Stepanyan

Written by Sam Stepanyan

Application Security Consultant, OWASP London Chapter Leader, OWASP Board Member, Cyber Security Blogger & Speaker

No responses yet