This article is more than 1 year old

NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches

100+ fixes for the Windows world – plus holes in SAP, Adobe, FreeBSD, etc

Patch Tuesday April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency (NSA).

Forty-four different products and services are affected, mainly having to do with Azure, Exchange Server, Office, Visual Studio Code, and Windows. Among the vulnerabilities, four have been publicly disclosed and a fifth is being actively exploited. Nineteen of the CVEs have been designated critical.

"This month’s release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers," Microsoft said in its blog post.

"These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.

Clicking through Microsoft's coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you'll find the unspecified security partner is the NSA.

sap hq in dresden

SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers


Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems.

"NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks," the signals intelligence agency said via Twitter.

The NSA assist comes a month after Microsoft fixed four Exchange Server zero-day flaws, claiming that a China-based hacking group, dubbed "Hafnium," exploited the vulnerabilities to steal data from US defense contractors, law firms, and medical researchers.

Pointing to the two 9.8 severity Exchange flaws, Dustin Childs, director of communications for the Zero Day Initiative, in a blog post said, "Both code execution bugs are unauthenticated and require no user interaction. Since the attack vector is listed as 'Network,' it is likely these bugs are wormable – at least between Exchange servers."

Six of the 114 Microsoft CVEs correspond to Microsoft Edge and were inherited via a recent Chromium update. Of the remainder, Childs notes that 27 are identified as "Remote Procedure Call Runtime Remote Code Execution Vulnerability," with 12 of these designated critical and 15 rated important.

"In RPC vulnerabilities seen in the past, an attacker would need to send a specially crafted RPC request to an affected system," he explained. "Successful exploitation results in executing code in the context of another user."

Among the rest, only CVE-2021-28310, identified as a Win32k Elevation of Privilege Vulnerability, is known to be under active exploitation.

And the rest

SAP reported a higher number of security advisories than usual: 23, of which 11 are medium severity, five are high severity, and three are designated "Hot News" because SAP evidently can't bring itself to say "critical."

Among these three, one flaw managed to score a perfect 10 CVSS score. SAP hasn't made the details publicly available but security firm Onapsis explains that it's an update that fixes 62 vulnerabilities in Google's Chromium browser, which is used in SAP Business Client.

The runner-up is a 9.9 severity flaw designated CVE-2021-27602, which SAP describes as a remote code execution vulnerability in Source Rules of SAP Commerce, versions 1808, 1811, 1905, 2005, and 2011.

The last of the top three is a 9.6 severity missing authorization check in SAP NetWeaver AS JAVA (migration service) that earned the CVE-2021-21481.

Adobe meanwhile issued four advisories – APSB21-28 for Photoshop, APSB21-26 for Digital Editions, APSB21-23 for Bridge, and APSB21-20 for RoboHelp – addressing ten CVEs. Four of these are critical – two of these in Photoshop and the other two in Bridge.

Google at the beginning of the month dropped 39 CVEs covering Android and components from MediaTek and Qualcomm. Two were designated critical.

"The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google's security bulletin said. ®

More about


Send us news

Other stories you might like