BACKGROUND
Attackers are now actively exploiting Microsoft Exchange Servers using ‘ProxyShell’ vulnerability to install backdoors for later access, which uses three chained MS vulnerabilities to perform unauthenticated, remote code execution. These chained vulnerabilities are exploited remotely through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.
The three chained vulnerabilities used in ‘ProxyShell’ attacks are:
- • CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001
- • CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
- • CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
IMPACT
1. Leakage and loss of sensitive and confidential organization and client’s data
SYSTEMS AFFECTED
- • Microsoft Exchange Server 2013
- • Microsoft Exchange Server 2016
- • Microsoft Exchange Server 2019
RECOMMENDATIONS
- • Keep Microsoft Exchange Server up to date
- • Use a different and strong password for each server
- • Frequently update the operating system and software