Jump to content

Every time I open Outlook client, EEA prompts JSExploit. Cve-2021-26855


tian

Recommended Posts

Every time I open Outlook client, EEA prompts JSExploit. Cve-2021-26855.

If I disconnect from the Exchange server and open the Outlook client, I won't get this message.

The exchange server was scanned completely using EFSW and no threat was found.

How can I further judge the problem?

JSExploit.cve-2021-26855.png

Link to comment
Share on other sites

  • Administrators

Do you have ESET Mail Security for MS Exchange installed on the mail server? What version of EMSX and MS Exchange is it? Is MS Exchange fully patched and all security updates are installed?

Link to comment
Share on other sites

The customer uses exchange2013, installed on windows2012.

EFSW8.0.12011.0 is installed on windows2012,not EMSX.

All Microsoft patches have been installed for Windows 2012.

Link to comment
Share on other sites

  • ESET Staff

Its likely that the external URL for OAB has a WebShell one-liner in its URL.  To check for and to remediate this, please do the following.

JS/Exploit.CVE-2021-26855.Webshell.H is an IOC detection which simply means your Exchange server was exploited in the past by this CVE.  Ensure you your Exchange server is fully patched, and then perform the following to remove the remnants of attack.

 

 

Check the following on the Exchange Server:

1.      Use a web browser to access: https://127.0.0.1/ecp

a.       Login with an admin that has enough rights (might require exchange admin)

2.      Click on "Servers" on the left

3.      Click on "Virtual Directories" tab thing in top middle area

4.      double click on "OAB Default Website" (OAB = Offline Address Book)

5.      Check what is in the 2 URL fields

a.       Internal URL

b.      External URL

6.      Copy and paste any suspicious URL fields into Notepad (with word wrap enabled) and then save a screenshot and discard the Notepad

a.       Saving the raw text will cause a detection by ESET.

7.      Save your changes and then move on to either rebooting the exchange server or restarting IIS.

a.       Without restarting IIS, then the IIS server will continue to host the AutoDiscovery settings which cause detections on endpoints with outlook.

Here is what this looks like on my non-compromised test environment:

image.png

Restarting IIS (or just reboot the server)

  1. Open "Internet Information Services (IIS) Manager" (Windows + R > inetmgr.exe)
  2. Click on your server name in the list (mine test environment showed: SVRSANDEXCH (DEMO\Administrator))
  3. On the far right under actions, click "Restart" (or you can right click on the server name and choose "stop" then "start")
  4. This made outlook on my test workstation go offline for about 30 seconds (likely longer in a production environment) and I no longer got any of the cached OAB URLs which caused detections.

After this, all endpoints may get one, or more, final detection as they clean up any remaining copies of AutoD/AutoDisovery XML files, but the total count of detections of webshells per day, should go decrease until you no longer have any of these detections.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...