Proxyshell Vulnerabilities – Summary

Technical Advice

The vulnerabilities described on this and the following page are known as the Proxyshell vulnerabilities of the on-premises Microsoft Exchange email server. If you have a Microsoft Exchange email server on-site (rather than in the ‘cloud’ through Microsoft 365) you may be at risk of these vulnerabilities being exploited.

While this is a collection of three vulnerabilities, the highest risk vulnerability has been independently scored as posing a critical risk to most organisations.

The Operation Configured team have contacted you because research indicates that your organisation or an organisation your ICT team supports may have these vulnerabilities and the Exchange server is exposed to the public internet. While it is possible that this information is incorrect because of the method of vulnerability identification employed by the Operation, it is important you establish for yourself whether the organisation is vulnerable. If you establish that the systems are vulnerable, there is an increased risk they will fall victim to a potentially devastating criminal cyber attack as a result.

There is another, non-technical summary of these vulnerabilities available for managers and decision makers. You will need to support them in making choices about how to approach this situation.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

About these Vulnerabilities

In August 2021, a cyber security researcher discovered and highlighted these newer vulnerabilities affecting various on-premises versions of the Microsoft Exchange Server which were being actively scanned and exploited by attackers for various types of targeted attacks, from business email compromise to intellectual property theft, crypto-mining and creating botnets to ransomware.  Microsoft Exchange is predominantly an email server, but does provide some other functionality.

In the attacks observed, the criminals, often referred to as ‘threat actors’, used these vulnerabilities to allows a remote attacker to bypass the authentication measures and execute their own code to access affected servers as a privileged user, which enabled access to email accounts.

The criminals can also further exploit affected servers in a way that allows them to install additional malicious software (‘malware’) to facilitate long-term access to the networks and systems of their victims and potentially cause severe damage of the server and adjoining systems / services.

These vulnerabilities relate to the Microsoft Exchange Client Access Services (CAS) attack surface.  The Mailbox servers contain the Client Access Services that are in in charge of accepting all client connections for all protocols, no matter if it’s HTTP, POP3, IMAP or SMTP. The frontend services are responsible for routing or proxying connections to the corresponding backend services on a Mailbox server.

When chained together, the Proxyshell vulnerabilities allow an attacker to bypass Access Control Level (ACL) controls, send a request to a PowerShell back-end and elevate their privileges, effectively authenticating themselves and allowing for remote code execution. Both public and private proof-of-concept exploits have been released which have allowed the mass scanning and exploitation of servers globally.

The Common Vulnerabilities and Exposures (CVE) reference numbers and summaries for these vulnerabilities are:

  • CVE-2021-34473 – This critical vulnerability provides a mechanism for an attacker to bypass the access control and remotely execute code on an affected system without being authenticated.  The specific vulnerability exists within the Microsoft Exchange Server ‘Autodiscover’ service.  Microsoft introduced the Autodiscover service to provide an easy way for mail client software to auto-configure itself and provide users access to the Exchange features, with minimal input from the user.
  • CVE-2021-34523 – Once the authentication stage is by-passed, this critical vulnerability enables attackers to execute code on affected Microsoft Exchange servers in the context of ‘SYSTEM’, thereby elevate their privileges.  This is due to a flaw in the PowerShell service not properly validating access tokens prior to executing the Exchange PowerShell command.
  • CVE-2021-31207 – This ‘High’ vulnerability allows remote attackers to execute code, post authentication (and now with SYSTEM privileges) on affected installations of Microsoft Exchange Server to write arbitrary files.  The specific flaw exists within the handling of ‘mailbox export’ because of the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files.

Research conducted around these CVE’s shows that :

  • they are remotely exploitable over the internet
  • the complexity required to exploit is low (meaning a relatively unskilled attacker can achieve this)
  • no privileges are required to exploit

If these CVE’s are exploited, it can risk the complete loss of confidentiality and integrity of the server. This could result in all of the resources being disclosed to an attacker and presents a direct serious impact to an organisation’s network.

It is possible for an attacker to also modify any or all files, so any malicious modification would present a critical threat.


The Risk these Vulnerabilities pose

There are significant risks should you choose to ignore or accept these vulnerabilities remaining in your system. Criminals are known to be actively scanning for vulnerable Exchange email servers and using them to attack organisations. Consequences may include, but are not limited to:

  • Theft of data
  • Corruption of backups
  • Using the compromised system to attack others, damaging the organisational reputation
  • Ransomware attack against systems
  • Fines from regulators such as the Information Commissioner’s Office (ICO)
  • The organisation ceasing operations because of system failure, reputational damage or financial losses

News Reporting of Exploitation of these Vulnerabilities

?????????????????????????


Next Steps

The next steps for the organisation should be to:

  1. Verify the presence of these vulnerabilities in the organisation; if so:
  2. Establish if these vulnerabilities has already been exploited on the organisation’s systems
  3. Work with management to establish the degree of threat, potential harm and risk posed to the organisation
  4. Isolate and mitigate the risk as soon as possible
  5. Establish a plan to resolve these vulnerabilities and eliminate the risk
  6. Plan to improve the organisation’s cybersecurity for the future

For more information: