Print this page
Published in News

Attackers targeting flaws in Microsoft Exchange Server

by on10 August 2021


Researchers warn

While the software king of the world Microsoft has patched three flaws in Microsoft Exchange Server, network managers are being tardy in fixing them and that could result in Goodnight Vienna for many companies, security researchers have warned.

For those who came in late, ProxyShell is a set of three security flaws that have already been addressed by Microsoft, but apparently attackers are currently scanning the internet for Microsoft Exchange Server instances that have not been patched for the ProxyShell vulnerability.

The technical details of the bug were disclosed last week by Devcore security researcher Orange Tsai at the Black Hat 2021 conference.

Tsai and his teammates are credited for discovering this bug during the Pwn2Own 2021 hacking contest held in April.

Microsoft Exchange Server, an email solution, is a long-time target of state-backed threat actors as corporate mail servers store the confidential secrets of government agencies and enterprises.

ProxyShell is a set of three security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) which, when used together, could enable a threat actor to perform unauthenticated, remote code execution (RCE) on unpatched Microsoft Exchange servers.

According to Orange Tsai, these vulnerabilities can be remotely exploited through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.

Microsoft quietly patched CVE-2021-34473 and CVE-2021-34523 in April with its KB5001779 cumulative update, while CVE-2021-31207 was patched about a month later.

CVE-2021-34473 is a pre-authentication path confusion bug that could result in ACL bypass, while CVE-2021-34523 results in elevation of privilege on Exchange PowerShell Backend, according to BleepingComputer.

The third flaw, CVE-2021-34473, is a post-authentication arbitrary-file-write bug that enables attackers to remotely execute arbitrary code on a machine.

Tsai said that one of the components of the ProxyShell attack chain targets the Microsoft Exchange Autodiscover service that was introduced by Microsoft to provide an easy way for mail client software to auto-configure itself with minimal input from the user.

After watching Tsai's talk, security researchers PeterJson and Jang published a blog post detailing how they were able to successfully reproduce the ProxyShell exploit.

IT security researcher Kevin Beaumont also said last week that a threat actor had probed his Microsoft Exchange server, which he had set up as a honeypot.

Beaumont said that while initial attacks were unsuccessful, he later observed entries in the log against the server's Autodiscover service, suggesting that the attackers had managed to conduct successful attacks.

These findings indicate that threat actors are watching presentations at security conferences and quickly adapting their automatic tests.

Experts advise Exchange server admins to install the latest cumulative updates from Microsoft as soon as possible.

There are currently 400,000 Microsoft Exchange servers exposed on the internet, so successful attacks are expected to come very soon, Tsai warned.

Last modified on 10 August 2021
Rate this item
(0 votes)