Microsoft Exchange servers actively scanned for ProxyShell vulnerability
- CVE-2021-34473: Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523: Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
- CVE-2021-31207: Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
- CVE-2021-31206: Microsoft Exchange Server Remote Code Execution Vulnerability (Patched in July by KB5004780)
Sources
https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 (Proof-Of-Concept)
Risks
ProxyShell is a chain of three vulnerabilities which, when exploited by an attacker, allow unauthenticated remote code execution on the vulnerable Microsoft Exchange Server. Successful exploitation can result in a takeover of the server and a can have a high impact on the entire CIA triad (Confidentiality, Integrity, Availability), depending on what the threat actor does after the exploitation.
Description
The ProxyShell attack chains three vulnerabilities (sometimes up to four) to perform Unauthenticated Remote Code Execution on Microsoft exchange Servers;
- CVE-2021-34473: Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523: Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
- CVE-2021-31207: Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
- CVE-2021-31206: Microsoft Exchange Server Remote Code Execution Vulnerability (Patched in July by KB5004780)
ProxyShell specifically targets the 'Microsoft Exchange Autodiscover' service. Which was implemented as an easy way for mail client software to auto-configure access with minimal user input.
On August 6, attackers modified their scans to use a 'new' Autodiscover URL;
Using this technique threat actors were successful in detecting vulnerable systems as it triggers the compilation of the ASP.NET web application.
Recommended Actions
CERT.be recommends latest cumulative updates should be installed so systems are protected from these vulnerabilities and the risk of exploitation is reduced.
If this is not possible due to Exchange version or dependencies please refer to the CVE and their respective KB update guides.
- CVE-2021-34473: Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523: Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
- CVE-2021-31207: Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
- CVE-2021-31206: Microsoft Exchange Server Remote Code Execution Vulnerability (Patched in July by KB5004780)
Check for scanning activity
Exchange Server administrators are advised to use Azure Sentinel, if available, to check IIS logs for the "/autodiscover/autodiscover.json" or "/mapi/nspi/" strings.
W3CIISLog | where csUriStem == "/autodiscover/autodiscover.json" | where csUriQuery has "/mapi/nspi/"
If the targeted Autodiscover URL is returned, the server was likely scanned for the vulnerability.