CVE-2021-1730: Microsoft Exchange Server Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.4)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Feb

Released

2021-02-09

Last Updated

2023-11-14

EPSS Score

2.01% (percentile: 83.7%)

Description

A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user. This update addresses this vulnerability. To prevent these types of attacks, Microsoft recommends customers to download inline images from different DNSdomains than the rest of OWA. Please see further instructions in the FAQ to put in place this mitigations.

FAQ

Why are the updates listed those that were released in September? This vulnerability was found in the Exchange Server Installer. This type of vulnerability can only be addressed in a complete release as opposed to a cumulative update. We allowed time for customers to move to the September release prior to disclosing the vulnerability. What are the steps to configure Download Domains to enable the protection from this vulnerability? Yes, please see Exchange Download Domains for detailed information.

Affected Products (2)

Exchange Server

• Microsoft Exchange Server 2019 Cumulative Update 7
• Microsoft Exchange Server 2016 Cumulative Update 18

Security Updates (2)

• 4571787
• 4571788

Acknowledgments

Mohamed Sayed of IBM X-Force

Revision History

• 2021-02-09: Information published.
• 2021-02-24: Added an FAQ detailing further steps that must be performed to enable the protections from this vulnerability.
• 2023-02-02: Updated FAQ information. This is an informational change only.
• 2023-11-14: Updated FAQ information. This is an informational change only.