Microsoft Exchange Servers are being actively exploited in the wild by various threat actors. Attackers are looking for vulnerable instances of Microsoft Exchange Servers and exploiting them via ProxyShell vulnerabilities. ProxyShell is the name given to the set of three vulnerabilities existing in Microsoft Exchange servers that allow an attacker to execute arbitrary code on the affected systems. These vulnerabilities are identified as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 and could be chained together to bypass ACL controls, elevate privileges, and perform unauthenticated, remote code execution. CVE-2021-34473 and CVE-2021-34523 were patched in April by Microsoft as a part of the April 2021 Patch Tuesday release, whereas CVE-2021-31207 was patched in May. Even though patched in April, CVE-2021-34473 and CVE-2021-34523 weren’t disclosed by Microsoft until July 2021 which resulted in many organizations being unpatched. Several organizations patch their systems based on CVE released and the severity associated with it.
Researchers have identified several types of web shells deployed to various vulnerable Microsoft Exchange servers. Researchers believe that at least 140 different styles of web shells have been deployed across more than 1900 Microsoft Exchange servers.
Many malware have also started using these ProxyShell vulnerabilities for taking over vulnerable systems. One of these is a new ransomware gang known as LockFile, which on gaining a foothold on the system, deploys LockFile ransomware and encrypts Windows domains. It targets organizations working in financial services, manufacturing, engineering, legal, business services, travel, and tourism. LockFile attacks have been reported mostly in the U.S. and Asia.
CVE-2021-34473: Remote Code Execution
This flaw exists in the Autodiscover service and arises due to the lack of proper validation of URI prior to accessing resources. An attacker can use this vulnerability to execute arbitrary code and if combined with other vulnerabilities it can be used to execute arbitrary code in the context of SYSTEM. This vulnerability falls into a “Critical” severity with a CVSS base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ).
CVE-2021-34523: Elevation of Privilege
This flaw exists in the Powershell service and exists due to improper validation of an access token prior to executing the Exchange PowerShell command. An attacker can use this vulnerability to elevate privileges and combine it with other vulnerabilities to execute arbitrary code in the context of SYSTEM. This vulnerability falls into a “Critical” severity with a CVSS base score of 9.8 ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ).
CVE-2021-31207: Security Feature Bypass
This flaw exists in the mailbox export feature due to improper validation of user-supplied data and can allow the attacker to upload arbitrary files. This vulnerability also when combined with some other vulnerabilities can be used to execute arbitrary code in the context of SYSTEM. This vulnerability falls into a “High” severity category with a CVSS base score of 7.2 ( AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ).
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
Successful exploitation of the Exchange Server could result in remote code execution and compromise of the system.
US Cybersecurity and Infrastructure Security Agency (CISA) have shared advisory for Microsoft Exchange servers against actively exploited ProxyShell vulnerabilities. CISA states: “Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”
Microsoft has already released the patches for all of these vulnerabilities in April 2021 and May 2021 Patch Tuesday Updates. As mentioned earlier also, CVE-2021-34473 and CVE-2021-34523 were patched by Microsoft in April Patch Tuesday release but CVEs were not disclosed at that time and were later published in July 2021. The third CVE from ProxyShell Vulnerabilities CVE-2021-31207 was patched by Microsoft in May’s Patch Tuesday release.
SanerNow can detect these vulnerabilities. It is highly recommended that the affected systems should be patched as soon as possible.