The Recent Exchange Server Vulnerability and SSRF Attacks

On Tuesday, March 2nd, Microsoft announced an MS Exchange server vulnerability, CVE-2021-26855, that was being exploited to perpetrate an active server side request forgery (SSRF) attack. Any organization running an Exchange server exposed to the internet through port 443 was vulnerable.

If you're scratching your head, wondering what an SSRF attack is, you're not alone. SSRF attacks are less common, and not as well known, as other attack vectors. But when they are used, the damage can be severe.

SSRF attacks are designed to prey on trust and privilege within a network. As in this case with Exchange server, an SSRF attack uses a malicious client to send a request to a server. That request triggers the server to take unwanted action within the network. Because the server can communicate with any resource, including internal sources inside the network, information that would ordinarily be protected inside the perimeter may be leaked. Alternatively, the internal server can be forced to communicate with an external resource, which it may assume is within its trust boundary.

It's in this combination of leaking internal information and subverting the boundary of trust where attacks get especially ugly. What makes SSRF attacks particularly insidious is that they are usually chained with other vulnerabilities—including information leaks and arbitrary file writes—allowing the perpetrators to establish a foothold on the server which can then be exploited for remote code execution. This was true in the case of this Exchange server exploit. Microsoft reported in its initial disclosure that the attack involved multiple vulnerabilities. It's another case of a trusted source that, when compromised, can pave the way for malicious actions.

Unfortunately, this type of attack is not unique to Microsoft. ExtraHop threat researchers have simulated nearly identical attacks using other cloud provider infrastructure. Take a look at this two minute video to see what an SSRF attack looks like in a simulated AWS environment.

If you're running Exchange Server, we strongly encourage you to act quickly to apply patches to all affected servers, and continue to monitor closely for suspicious activity.

ExtraHop has added a Reveal(x) detection for SSRF attacks that exploit this Exchange server vulnerability.