DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle
|Case lead||Frank Breedijk|
|Product||Microsoft Exchange on premise|
|Recommendation||Apply the patches released in April and Juli|
|Patch status||Full patched|
Microsoft Exchange has a number of vulnerabilities that allow a lot of opportunity for attack. Two of these attacks are ProxyShell, which allows Remote Code Execution and ProxyOracle which allows the recovery of the plain text password of a user by tricking them to click a single link.
We noticed that even tough patches have been released in April and July, there are still a lot of Exchange servers online without the patches.
What you can do
If you run your own Exchange server, make sure it is patched:
- Exchange Server 2019 as least Cumulative update 9 or 10
- Exchange Server 2016 as least Cumulative update 20 or 21
- Exchange Server 2013 as least Cumulative update 23
If you are having trouble getting your Exchange server patched, we suggest that it might we worthwhile to look into Office 365.
What we are doing
|Apr 2021||CVE-2021-34473 patched, but not documented.|
|11 May 2021||CVE-2021-31195 patched and documented|
|13 Jul 2021||CVE-2021-34473 documented, CVE-2021-34523, CVE-2021-31207 and CVE-2021-31196 patched and documented|
|30 Aug 2021||First version of this case file|
|30 Aug 2021||DIVD releases scan script for CVE-2021-31195|
- A New Attack Surface on MS Exchange Part 2 - ProxyOracle! by DevCore
- ProxyShell vulnerabilities and your Exchange Server by the Microsoft Exchange Team