Skip to the content.

DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle

Our reference DIVD-2021-00022
Case lead Frank Breedijk
Researcher(s)
CVE(s)
Product Microsoft Exchange on premise
Versions n/a
Recommendation Apply the patches released in April and Juli
Patch status Full patched
Status Closed
Last modified 08 Dec 2022 16:28

Summary

Microsoft Exchange has a number of vulnerabilities that allow a lot of opportunity for attack. Two of these attacks are ProxyShell, which allows Remote Code Execution and ProxyOracle which allows the recovery of the plain text password of a user by tricking them to click a single link.

We noticed that even tough patches have been released in April and July, there are still a lot of Exchange servers online without the patches.

What you can do

If you run your own Exchange server, make sure it is patched:

If you are having trouble getting your Exchange server patched, we suggest that it might we worthwhile to look into Office 365.

What we are doing

We have made an NSE script for ProxyOracle available via out GitHub account. We are going to scan internet facing Exchange servers for ProxyOracle and ProxyShell (via Kevin beaumont’s script)

For us this case has ended, anyone still vulnerable to these issues over a year after patches were made available will be notified of this together with case 2022-00054.

Timeline

Date Description
13 Apr 2021 CVE-2021-34473 was patched in this released, but not documented.
11 May 2021 CVE-2021-31195 patched and documented
13 Jul 2021 CVE-2021-34473 documented, CVE-2021-34523, CVE-2021-31207, and CVE-2021-31196 patched and documented
30 Aug 2021 First version of this case file
30 Aug 2021 DIVD releases scan script for CVE-2021-31195
10 Oct 2022 Closing this case
gantt title DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle (406 days) :2021-08-30, 2022-10-10 section Events CVE-2021-34473 was patched in this released, but not documented. : milestone, 2021-04-13, 0d CVE-2021-31195 patched and documented : milestone, 2021-05-11, 0d CVE-2021-34473 documented, CVE-2021-34523, CVE-2021-31207, and CVE-2021-31196 patched and documented : milestone, 2021-07-13, 0d First version of this case file : milestone, 2021-08-30, 0d DIVD releases scan script for CVE-2021-31195 : milestone, 2021-08-30, 0d Closing this case : milestone, 2022-10-10, 0d

More information