SB2023021424 - Multiple vulnerabilities in Microsoft Exchange Server
Published: February 14, 2023 Updated: May 23, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Exposed dangerous method or function (CVE-ID: CVE-2023-21529)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the MultiValuedProperty class. A remote user can send a specially crafted request and execute arbitrary code in the context of the server's account.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Code Injection (CVE-ID: CVE-2023-21707)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code in the context of the server's account.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Code Injection (CVE-ID: CVE-2023-21706)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code in the context of the server's account.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Code Injection (CVE-ID: CVE-2023-21710)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user with administrative privileges can send a specially crafted request and execute arbitrary code in the context of the server's account.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21529
- https://www.zerodayinitiative.com/advisories/ZDI-23-162/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21707
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21706
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21710