Search This Blog

Powered by Blogger.

Blog Archive


About Me

Showing posts with label Server Vulnerability. Show all posts

Thousands of Outdated Microsoft Exchange Servers are Susceptible to Cyber Attacks


A large number of Microsoft Exchange email servers in Europe, the United States, and Asia are currently vulnerable to remote code execution flaws due to their public internet exposure. These servers are running out-of-date software that is no longer supported, and as a result, they do not receive any updates or security patches. As a result, they are vulnerable to a variety of security issues, some of which have critical severity ratings. 

Recent internet scans conducted by The ShadowServer Foundation have disclosed that nearly 20,000 Microsoft Exchange servers are presently accessible via the public internet and have reached the end of life stage. These statistics, however, may not be indicative of the whole picture. Yutaka Sejiyama, a Macnica security researcher, carried out additional research and identified over 30,000 Microsoft Exchange servers that have reached end-of-life status. 

Sejiyama's Shodan scans discovered nearly 30,635 unsupported Microsoft Exchange devices on the public web. There were 275 Exchange Server 2007 instances, 4,062 Exchange Server 2010 instances, and a whopping 26,298 Exchange Server 2013 instances. 

One of the main concerns with these old servers is the possibility of remote code execution. Outdated Exchange servers are vulnerable to a number of remote code execution bugs, including the critical ProxyLogon vulnerability (CVE-2021-26855), which can be combined with the less serious CVE-2021-27065 flaw to allow remote code execution.

According to Sejiyama's analysis of the scanned systems' build numbers, approximately 1,800 Exchange servers are still vulnerable to ProxyLogon, ProxyShell, and ProxyToken vulnerabilities. 

While some of these flaws do not have critical severity ratings, Microsoft still considers them "important." Furthermore, with the exception of the ProxyLogon chain, which was previously exploited in attacks, all of these flaws are believed to be "more likely" to be targeted. 

Organisations that continue to use obsolete Exchange servers despite having implemented available mitigations are still susceptible. Microsoft strongly advises prioritising the installation of updates on servers that are exposed to the outside world. The only option for servers that have reached the end of support is to upgrade to a version that continues to get security patches. 

The identification of tens of thousands of vulnerable Microsoft Exchange servers emphasises the critical importance of updating software and applying security patches on a regular basis. Failure to do so exposes businesses to the risk of remote code execution and other security breaches.

Attackers Exploiting Bugs in PHP7 to Hijack Web Servers

Last week, Russia-based security researcher Emil 'Neex Lerner has discovered a remote code execution vulnerability in the PHP bug tracker - classified as the CVE-2019-11043. The vulnerability allows the attackers to gain control of servers running PHP7 with NGINX and the PHP-FPM extension, simply by adding "?a=" to the URL of the website. Evidence shows that this critical PHP issue is being actively exploited by the threat actors.

Reportedly, the vulnerability did not affect all the PHP-capable servers, only NGINX servers with PHP-FPM enabled are exposed to the risk. The FPM is the PHP-FPM module which is employed for the purpose of performance enhancement and the vulnerability which lets a remote net server to execute its own arbitrary code simply by accessing a specially designed URL, resides in env_path_info in the file fpm_main.c of the FPM component.

PHP (Hypertext pre-processor) is a wide-open source general-purpose scripting language that is used in the development of Static websites, Dynamic websites or Web applications. It is one of the most common programming languages used to build websites and is focused on server-side scripting. It forms the basis for content management systems such as Wordpress and also (in a way) for more sophisticated applications like Facebook. Therefore, to realize a security vulnerability inside it remains a great deal for security researchers.

Experts believe that this security vulnerability has all the right boxes checked for marking the beginning of a storm in the cybersecurity world, it doesn't only expose to risk multiple environments but also makes it extremely convenient for attackers to exploit the vulnerability. Although one can argue that patches are available for users as a safeguard against the vulnerability, not everyone is equally updated with the workarounds.

The barricades to enter the website for hacking has been radically lowered by this vulnerability, so much so that even people from nontechnical background could potentially abuse it, according to ZDNet.

Satnam Narang, Senior Security Response Manager at Tenable, explains that "The PoC script included in the GitHub repository can query a target webserver to identify whether or not it is vulnerable by sending specially crafted requests,"

"Once a vulnerable target has been identified, attackers can send specially crafted requests by appending '?a=' in the URL to a vulnerable web server," adds Narang.

Students Hack Student Information System; Change Attendance, Grades, and Lunch Balance Data

Two students at Bloomfield Hills High School are the main suspects of a hack into the school’s Student Information System called MISTAR. The students are believed to have made changes to the grades, attendance records, and lunch balances of about twenty students and themselves.

The hack was discovered when an employee logged into his account and noticed an error, after which the school investigated the issue and learned about the attack.

The students are suspected to have exploited a now-resolved vulnerability in the school systems to gain access.

“With the assistance of a forensic investigator, we determined that a report that may have contained the usernames and passwords for the Parent Portal may have been run,” the school said in an FAQ on its website after the attack. “As a precaution, a letter will be mailed to all parents detailing how to change their Parent Portal credentials. Should we determine that additional information contained within MISTAR was accessed without authorization, we will provide impacted individuals with notification.”

The school has announced that it will be resetting all Parent Portal passwords on Monday, May 21, 2018, which will then require all parents/guardians to reset their individual password upon returning to the system.

While the investigation is ongoing and the school is still reviewing its digital security, it has said that, “Modifications will be made as necessary to our internal practices and the district plans to conduct internal staff and student training in addition to what has been provided in the past or is normal, ongoing training.”

“We are committed to using this unfortunate incident to teach our students about digital citizenship and help support them in making better digital decisions,” the school further announced.

In a YouTube video, Bloomfield Hills High School superintendent Robert Glass said that the punishment for the culprits of the attack is likely to be severe.

“Cyber hacking is a federal crime and we're working with the proper authorities to determine the appropriate discipline and legal ramifications," he said. "Due to student privacy laws, we're not able to disclose more information but we can assure you that we're working within the full extent of the Student Code of Conduct and the full extent of the law."

The school has also established a support hotline, aside from their FAQ page, where parents can reach out to learn more or have their questions about the hack answered.

Security flaw in India Post server revealed by researcher

French security researcher Robert Baptiste who goes by Elliot Anderson on Twitter has been revealing cybersecurity flaws in the Indian scene for a while now. This time, he has reported a vulnerability on the India Post server that allows remote code execution.

Baptiste has in fact reported this flaw in place of an Indian researcher who chose to remain anonymous because of legal implications in face of Indian law.

The subdomain of India Post — — was vulnerable to an Apache vulnerability i.e. CVE 2017-5638. It meant that the attacker would be able to run code on India Post server, as shown below:

The flaws led to exposed bank details of employees as well as databases of sensitive information. He posted several screenshots of the files he was able to access by exploiting the flaw.

He also revealed that he was not the first person to exploit these flaws and posted screenshots that show activity from almost a year ago on 14th April, 2017.

The vulnerability has since been fixed, leading to Elliot Anderson tweeting out the details of this recent hack.

BIND 9 Resolver crashes after logging an error in query.c

Security Advisory from isc says that they got report from many Organizations across the Internet about crashes interrupting service on BIND 9 nameservers performing recursive queries.

Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9. ISC is actively investigating the root cause and has produced patches which prevent the crash.

Affected Version:
All currently supported versions of BIND, 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x


An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.

The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature.

Solution for this vulnerability: 
Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1