DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle

Summary

Microsoft Exchange has a number of vulnerabilities that allow a lot of opportunity for attack. Two of these attacks are ProxyShell, which allows Remote Code Execution and ProxyOracle which allows the recovery of the plain text password of a user by tricking them to click a single link.

We noticed that even tough patches have been released in April and July, there are still a lot of Exchange servers online without the patches.

What you can do

If you run your own Exchange server, make sure it is patched:

• Exchange Server 2019 as least Cumulative update 9 or 10
• Exchange Server 2016 as least Cumulative update 20 or 21
• Exchange Server 2013 as least Cumulative update 23

If you are having trouble getting your Exchange server patched, we suggest that it might we worthwhile to look into Office 365.

What we are doing

We have made an NSE script for ProxyOracle available via out GitHub account. We are going to scan internet facing Exchange servers for ProxyOracle and ProxyShell (via Kevin beaumont’s script)

For us this case has ended, anyone still vulnerable to these issues over a year after patches were made available will be notified of this together with case 2022-00054.

Timeline

More information

• A New Attack Surface on MS Exchange Part 2 - ProxyOracle! by DevCore
• ProxyShell vulnerabilities and your Exchange Server by the Microsoft Exchange Team