Vulnerabilities in Microsoft Exchange Server are once again posing a security threat several months after they were first disclosed and patched.
Three vulnerabilities known as “ProxyShell” were discovered by Orange Tsai, a security researcher with pen testing firm Devcore. The most serious flaw in the trio is CVE-2021-34473, a critical remote code execution vulnerability. The other two vulnerabilities include CVE-2021-34523, a critical elevation of privilege bug in Exchange Server, and CVE-2021-31207, a security bypass flaw.
CVE-2021-34473 and CVE-34523 were both patched in April, but the two vulnerabilities weren’t disclosed in the update guide until Microsoft’s July Patch Tuesday release. CVE-2021-31207, meanwhile, was patched and disclosed in May.
Despite patches being available for the ProxyShell vulnerabilities, things came to a head last week when Tsai issued findings at the Black Hat 2021 security conference in Las Vegas and demonstrated how the flaws could be chained together in an attack. While Orange Tsai did not release a proof-of-concept exploit for ProxyShell vulnerabilities, two other security researchers developed and published a working exploit based on the information in the Black Hat presentation.
According to Tsai, ProxyShell is only the surface layer of a massive security hole that underlies Exchange servers, and further attacks are going to be inevitable.
“This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections or logic flaws,” Tsai wrote in a summary of the flaws. “But we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities.”
Future attacks aside, the presentation brought renewed attention to the vulnerability, and shortly after Tsai’s presentation in Las Vegas scans for the vulnerability picked up. Not long after, word began to spread that many of the systems deemed vulnerable in March remain exposed.
Several security researchers also noted mass scanning of Exchange Server installations for ProxyShell vulnerabilities.
According to Florian Roth, head of research at Nextron Systems, many of those servers deemed vulnerable earlier this year continue to be exposed to attack.
#ProxyShell
TLDR; you’re safe as long as you’ve installed the patches released in May~32,000 systems are possibly vulnerable
(note: info is incomplete and partly outdated) pic.twitter.com/ZAMHdHQo4q— Florian Roth ⛰ (@cyb3rops) August 9, 2021
Since the flaws were first revealed, thousands of machines were not updated and remain exposed to what is now a publicly known bug. Experts say patch installations can be delayed due to a number of reasons, however, including the downtime required to issue a fix for a server or other essential machines.
The ProxyShell situation is similar to another set of Exchange vulnerabilities discovered by Orange Tsai. CVE-2021-26855, popularly known as ProxyLogon, is a server-side request forgery vulnerability in Exchange that allows an attacker to take control of a vulnerable server via commands sent over network port 443.
The ProxyLogon bug and three related vulnerabilities were originally disclosed in early March when Microsoft spilled the beans on a Beijing-sponsored hacking operation that preyed on the bugs, along with several other flaws. The attacks were attributed to Chinese-based groups.
At the time of disclosure, it was estimated that tens of thousands of Exchange servers were vulnerable to the flaw.