Microsoft has released security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016 and 2019. Several vulnerabilities have been identified - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 - and these are being actively exploited in the wild.
Microsoft is recommending prioritizing installing updates on Exchange Servers that are externally facing.
As well as this, Microsoft have published mitigation actions that can be run on Exchange Servers. Note these will not protect already exploited systems. For those using LoadMaster for Exchange load balancing the following mechanisms will assist in protecting Exchange Servers:
LoadMaster Exchange Server Protection
Edge Security Pack on LoadMaster provides a means for enforcing pre-authentication on LoadMaster. This enables the following
- Protection of the Exchange Server from handling unauthenticated connection attempts on OWA,ECP and Active Sync services massively reducing the attack vector to only include users with valid credentials.
- Enhanced logging of access by Username and IP address for auditing
- Failed Login attempt limiting.
Using LoadMaster as part of Mitigation Strategy
Mitigation Actions corresponding to those recommended by Microsoft may also be implemented on the LoadMaster as part of the mitigation strategy.
The Mitigation Actions recommended by Microsoft can be broken down into:
1.Dropping of requests containing specific identified cookies used by this exploit. See here for a guide on how to implement content rules on LoadMaster to block this traffic.
- Disabling of services vulnerable to attack. See here for details of how to disable access to specific Exchange services on the LoadMaster or alternatively restrict access to specific IP address ranges using Access Control Lists.
Note these are mitigation actions only. For full protection it is recommended that Exchange Server security updates are applied as recommended by Microsoft