DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle
| Our reference | DIVD-2021-00022 |
| Case lead | Frank Breedijk |
| Researcher(s) | |
| CVE(s) | |
| Product | Microsoft Exchange on premise |
| Versions | n/a |
| Recommendation | Apply the patches released in April and Juli |
| Patch status | Full patched |
| Status | Open |
| Last modified | 20 Jun 2022 07:35 |
Summary
Microsoft Exchange has a number of vulnerabilities that allow a lot of opportunity for attack. Two of these attacks are ProxyShell, which allows Remote Code Execution and ProxyOracle which allows the recovery of the plain text password of a user by tricking them to click a single link.
We noticed that even tough patches have been released in April and July, there are still a lot of Exchange servers online without the patches.
What you can do
If you run your own Exchange server, make sure it is patched:
- Exchange Server 2019 as least Cumulative update 9 or 10
- Exchange Server 2016 as least Cumulative update 20 or 21
- Exchange Server 2013 as least Cumulative update 23
If you are having trouble getting your Exchange server patched, we suggest that it might we worthwhile to look into Office 365.
What we are doing
We have made an NSE script for ProxyOracle available via out GitHub account. We are going to scan internet facing Exchange servers for ProxyOracle and ProxyShell (via Kevin beaumont’s script)
Timeline
| Date | Description |
|---|---|
| 13 Apr 2021 | CVE-2021-34473 was patched in this released, but not documented. |
| 11 May 2021 | CVE-2021-31195 patched and documented |
| 13 Jul 2021 | CVE-2021-34473 documented, CVE-2021-34523, CVE-2021-31207, and CVE-2021-31196 patched and documented |
| 30 Aug 2021 | First version of this case file |
| 30 Aug 2021 | DIVD releases scan script for CVE-2021-31195 |
More information
- A New Attack Surface on MS Exchange Part 2 - ProxyOracle! by DevCore
- ProxyShell vulnerabilities and your Exchange Server by the Microsoft Exchange Team