ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers

By Caitlin Condon, Rapid7

August 16, 2021

On August 5, 2021, in a Black Hat USA talk, DEVCORE researcher Orange Tsai shared information on several exploit chains targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented were ProxyLogon, which was exploited en masse in February and March of 2021, and ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. As of August 12, 2021, multiple researchers have detected widespread opportunistic scanning and exploitation of Exchange servers using the ProxyShell chain.

According to Orange Tsai's demonstration, the ProxyShell exploit chain allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit is comprised of three discrete CVEs:

While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft’s advisories note that they were inadvertently omitted from publication until July.

When chained, these vulnerabilities allow the attacker to bypass ACL controls, send a request to a PowerShell back-end, and elevate privileges, effectively authenticating the attacker and allowing for remote code execution. No public proof-of-concept (PoC) code has been released as of August 12, but there is ample evidence of multiple private exploits — not surprising, since ProxyShell was first demonstrated more than four months ago at Pwn2Own. A number of technical analyses of the chain have been published, and we expect public PoCs to be shared shortly.

Notably, there has been confusion about which CVE is which across various advisories and research descriptions — Microsoft, for instance, describes CVE-2021-34473 as a remote code execution vulnerability, but Orange Tsai’s Black Hat slides list CVE-2021-34473 as the initial ACL bypass. Community researchers have also expressed confusion over CVE numbering across the ProxyShell chain, but ultimately, the takeaway is the same: Organizations that have not patched these vulnerabilities should do so on an emergency basis and invoke incident response protocols to look for indicators of compromise.

Affected products

The following versions of Exchange Server are vulnerable to all three ProxyShell CVEs:

  • Microsoft Exchange Server 2019 Cumulative Update 9
  • Microsoft Exchange Server 2019 Cumulative Update 8
  • Microsoft Exchange Server 2016 Cumulative Update 20
  • Microsoft Exchange Server 2016 Cumulative Update 19
  • Microsoft Exchange Server 2013 Cumulative Update 23

Organizations that rely on on-premises installations of Exchange Server and are not able to move to O365 should ensure that all Exchange instances are patched on a zero-day basis. In order to do this, it is vital that defenders keep up-to-date with quarterly Cumulative Updates, since Microsoft only releases security fixes for the most recent Cumulative Update versions.

While ProxyShell and March’s ProxyLogon exploit chain are the two attacks that have already resulted in widespread exploitation, they are not the only exploit chains targeting on-premises Exchange servers. Exchange continues to be valuable and accessible attack surface area for both sophisticated and run-of-the-mill threat actors, and we will certainly see additional widespread exploitation in the future.

Read more from our emergent threat response team on high-priority attack surface area, including Windows Print Spooler and Pulse Connect Secure VPNs.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to all three ProxyShell CVEs with authenticated vulnerability checks.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement