Microsoft has released guidance for addressing the actively exploited ProxyShell flaws that affect multiple versions of its Exchange servers.
This collection of flaws, patched in April and May, was discovered by security researcher Orange Tsai during the Pwn2Own 2021, which was a hacking contest organized by Microsoft.
- CVE-2021-34473 – Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523 – Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779)
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
Although Microsoft fixed the bugs, they didn’t issue the necessary CVE IDs for the issues until July 2021. This prevented some organizations from discovering the vulnerabilities.
Security researchers and the US government’s CISA agency warned users to patch their Exchange servers to prevent attacks revolving around the exploitation of the ProxyShell vulnerability.
Although Microsoft has already warned about the attacks, they did not directly inform their customers about them until today.
“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities,” The Exchange Team said. “If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. Exchange Online customers are also protected (but must make sure that all hybrid Exchange servers are updated).”
To prevent exploitation of the latest security updates, customers must install at least one of the updates.
Microsoft says Exchange servers should be considered vulnerable if:
- The server is running an older, unsupported CU; or
- The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or
- The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.
The warning comes after multiple threats exploiting the same vulnerability in ProxyShell.
While the previous generation of ProxyShell attacks was harmless, they are now being used to deliver malware payloads, such as LockFile ransomware.
Showing the scale of the issue, security firm Huntress Labs has discovered over 140 web shells that were deployed by attackers against over 1,900 compromised Microsoft Exchange servers.