Advisory August 16, 2021

ProxyShell Bugs on Microsoft Exchange Servers

Obrela SOC

As of August 12, 2021, Microsoft Exchange Servers seem to be under active attack. Threat actors take advantage of the ProxyShell exploit chain that allows remote unauthenticated attackers to execute arbitrary commands on vulnerable on-premises instances of Microsoft Exchange Servers.

The ProxyShell exploit chain consists of 3 vulnerabilities:

  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability

The above 3 vulnerabilities are exploited remotely through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS. When chained together they allow attackers to bypass ACL controls, send a request to a PowerShell back-end, and elevate privileges.

According to Shodan it seems that there are at least 47,916 publicly exposed MS Exchange Servers that are still unpatched against at least one of the three bugs that can be chained together for this attack.

Mitigation

Block incoming, external traffic over port 443 to corporate Microsoft Exchange Servers if this does not break any functionality for the organization and until it is ensured that the above 3 vulnerabilities are fully patched.

Remediation

Microsoft has released cumulative updates that include the patches for the below Microsoft Exchange Server vulnerabilities:

CVE-2021-34473
CVE-2021-34523
CVE-2021-31207