Exchange Server Vulnerability
We have been monitoring several exploits for Microsoft Exchange servers that have been developing since May. The new development that has been seen in the wild the past couple of days is being used to drop ransomware into an organization’s environment.
Priority:
These exploits (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) should be considered extremely critical in terms of establishing a remediation plan since they can allow a threat actor to, not only gain remote access, but also drop ransomware in your environment. It is recommended that if you have an affected version that you remediate within 12-24 hours via an emergency change.
Affected Versions:
The following are all the versions that are affected with these exploits:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
The Vulnerability:
The exploit details are as follows:
- CVE-2021-34473 – The first vulnerability of ProxyShell is similar to the SSRF in ProxyLogon. It too appears when the frontend (known as Client Access Services, or CAS) is calculating the backend URL. When a client HTTP request is categorized as an Explicit Logon Request, Exchange will normalize the request URL and remove the mailbox address part before routing the request to the backend.
- CVE-2021-34523 – Allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
- CVE-2021-31207 – The last part of the exploit chain is to find a post-auth RCE technique using Exchange PowerShell commands.
The Remediation:
Patch the server with the following critical updates
| Release date | Product | Impact | Severity | Article | Download | Details |
| May 11, 2021 | Microsoft Exchange Server 2019 Cumulative Update 8 | Security Feature Bypass | Moderate | 5003435 | Security Update | CVE-2021-31207 |
| May 11, 2021 | Microsoft Exchange Server 2016 Cumulative Update 19 | Security Feature Bypass | Moderate | 5003435 | Security Update | CVE-2021-31207 |
| May 11, 2021 | Microsoft Exchange Server 2016 Cumulative Update 20 | Security Feature Bypass | Moderate | 5003435 | Security Update | CVE-2021-31207 |
| May 11, 2021 | Microsoft Exchange Server 2019 Cumulative Update 9 | Security Feature Bypass | Moderate | 5003435 | Security Update | CVE-2021-31207 |
| May 11, 2021 | Microsoft Exchange Server 2013 Cumulative Update 23 | Security Feature Bypass | Moderate | 5003435 | Security Update | CVE-2021-31207 |
| Jul 13, 2021 | Microsoft Exchange Server 2019 Cumulative Update 8 | Elevation of Privilege | Important | 5001779 | Security Update | CVE-2021-34523 |
| Jul 13, 2021 | Microsoft Exchange Server 2016 Cumulative Update 19 | Elevation of Privilege | Important | 5001779 | Security Update | CVE-2021-34523 |
| Jul 13, 2021 | Microsoft Exchange Server 2016 Cumulative Update 20 | Elevation of Privilege | Important | 5001779 | Security Update | CVE-2021-34523 |
| Jul 13, 2021 | Microsoft Exchange Server 2019 Cumulative Update 9 | Elevation of Privilege | Important | 5001779 | Security Update | CVE-2021-34523 |
| Jul 13, 2021 | Microsoft Exchange Server 2013 Cumulative Update 23 | Elevation of Privilege | Important | 5001779 | Security Update | CVE-2021-34523 |
| Jul 13, 2021 | Microsoft Exchange Server 2019 Cumulative Update 9 | Remote Code Execution | Critical | 5001779 | Security Update | CVE-2021-34473 |
| Jul 13, 2021 | Microsoft Exchange Server 2013 Cumulative Update 23 | Remote Code Execution | Critical | 5001779 | Security Update | CVE-2021-34473 |
| Jul 13, 2021 | Microsoft Exchange Server 2019 Cumulative Update 8 | Remote Code Execution | Critical | 5001779 | Security Update | CVE-2021-34473 |
| Jul 13, 2021 | Microsoft Exchange Server 2016 Cumulative Update 19 | Remote Code Execution | Critical | 5001779 | Security Update | CVE-2021-34473 |
| Jul 13, 2021 | Microsoft Exchange Server 2016 Cumulative Update 20 | Remote Code Execution | Critical | 5001779 | Security Update | CVE-2021-34473 |
Reference:
- https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
- https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c
- https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473
If you are interested in learning more about how our team can help mitigate your risks, please click here to view our Cybersecurity Services.
