Microsoft Exchange Servers are actively exploited in the wild by various threat actors. Attackers are looking for vulnerable instances of Microsoft Exchange Servers and exploiting them via ProxyShell vulnerabilities. ProxyShell is the name given to the set of three vulnerabilities existing in Microsoft Exchange servers. Allows an attacker to execute arbitrary code on the affected systems. These vulnerabilities are identified as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 and could be chained together to bypass ACL controls, elevate privileges, and perform unauthenticated, remote code execution. CVE-2021-34473 and CVE-2021-34523 patched in April by Microsoft as a part of the April 2021 Patch Tuesday release, whereas patches CVE-2021-31207 in May. Even though patched in April, CVE-2021-34473 and CVE-2021-34523 by Microsoft disclosing until July 2021. Which resulted in many organizations unpatched. Several organizations patch their systems based on CVE using a patch management tool released and the severity associated with it.
Researchers have identified several types of web shells deployed to various vulnerable Microsoft Exchange servers. Researchers believe that at least 140 different styles of web shells deploying across more than 1900 Microsoft Exchange servers. A vulnerability management tool is very much essential.
Many malware have also started using these ProxyShell vulnerabilities for taking over vulnerable systems. One of these is a new ransomware gang known as LockFile, which on gaining a foothold on the system, deploys LockFile ransomware and encrypts Windows domains. It targets organizations working in financial services, manufacturing, engineering, legal, business services, travel, and tourism. LockFile attacks have reports mostly in the U.S. and Asia.
Vulnerability Details
CVE-2021-34473: Remote Code Execution
This flaw exists in the Autodiscover service and arises due to the lack of proper validation of URI prior to accessing resources. However, an attacker uses this vulnerability to execute arbitrary code and if combined with other vulnerabilities it uses to execute arbitrary code in the context of SYSTEM. Therefore, this vulnerability falls into a “Critical” severity with a CVSS base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ).
CVE-2021-34523: Elevation of Privilege
This flaw exists in the Powershell service and exists due to improper validation of an access token prior to executing the Exchange PowerShell command. However, an attacker can use this vulnerability to elevate privileges and combine it with other vulnerabilities to execute arbitrary code in the context of SYSTEM. This vulnerability falls into a “Critical” severity with a CVSS base score of 9.8 ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ).
CVE-2021-31207: Security Feature Bypass
This flaw exists in the mailbox export feature due to improper validation of user-supplied data and can allow the attacker to upload arbitrary files. This vulnerability also when combined with some other vulnerabilities can use to execute arbitrary code in the context of SYSTEM. This vulnerability falls into a “High” severity category with a CVSS base score of 7.2 ( AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ).
Affected Systems by CVE-2021-34473
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
Impact of CVE-2021-34473
Successful exploitation of the Exchange Server could result in remote code execution and compromise of the system.
CISA Advice
US Cybersecurity and Infrastructure Security Agency (CISA) have shared advisory for Microsoft Exchange servers against actively exploited ProxyShell vulnerabilities. CISA states: “Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”
Solution
Microsoft has already released the patches for all of these vulnerabilities in April 2021 and May 2021 Patch Tuesday Updates. As mentioned earlier, CVE-2021-34473 and CVE-2021-34523 patched by Microsoft in April Patch Tuesday release but CVEs were not disclosed then and later published in July 2021. Microsoft patched the third CVE from ProxyShell Vulnerabilities CVE-2021-31207 in May’s Patch Tuesday release.
SanerNow can detect these vulnerabilities. It is recommended that affected systems must patch as soon as possible.