Security advisories

PoC Released, Active Exploitation of Exchange Vulnerabilities Observed

August 18, 2021 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

Active exploitation of previously disclosed Microsoft Exchange vulnerabilities has been observed against researcher honeypots in the wild. Affected versions include Microsoft Exchange Server’s 2013, 2016, and 2019. Patches have been available since May [1].

A known vulnerability in Microsoft Exchange allows attackers to commit arbitrary file upload and execution [1]. In combination with previously reported authentication and privilege escalation vulnerabilities (patched in April) [2], this cluster of bugs is known as ProxyShell. This attack was first demonstrated on August 5, 2021, in a BlackHat presentation [3], followed by scanning for vulnerable devices. Within a week of the disclosure, researchers reported active exploitation against their honeypots [4]. Microsoft has made patches available for all three vulnerabilities [1][2].

What we’re doing about it

What you should do about it

Additional information

Impacted Products:

The attack chain starts with CVE-2021-31207, an authentication bypass vulnerability. From there, a threat actor can elevate privileges with CVE-2021-34523. Finally, with a foothold in the system and escalated privileges, remote code execution can be achieved with CVE-2021-34473. The publicly released PoC relies on abuse of Autodiscover, mapi, and PowerShell in the victim’s environment [5].

References:

[1] https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-may-11-2021-kb5003435-028bd051-b2f1-4310-8f35-c41c9ce5a2f1
[2] https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064
[3] https://www.blackhat.com/us-21/briefings/schedule/#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442
[4] https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/
[5] https://github.com/ktecv2000/ProxyShell/blob/main/exploit.py

View Most Recent Advisories