Skip to the content.

DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle

Our reference DIVD-2021-00022
Case lead Frank Breedijk
Researcher(s)
CVE(s)
Product Microsoft Exchange on premise
Versions n/a
Recommendation Apply the patches released in April and Juli
Patch status Full patched
Status Open

Summary

Microsoft Exchange has a number of vulnerabilities that allow a lot of opportunity for attack. Two of these attacks are ProxyShell, which allows Remote Code Execution and ProxyOracle which allows the recovery of the plain text password of a user by tricking them to click a single link.

We noticed that even tough patches have been released in April and July, there are still a lot of Exchange servers online without the patches.

What you can do

If you run your own Exchange server, make sure it is patched:

If you are having trouble getting your Exchange server patched, we suggest that it might we worthwhile to look into Office 365.

What we are doing

We have made an NSE script for ProxyOracle available via out GitHub account. We are going to scan internet facing Exchange servers for ProxyOracle and ProxyShell (via Kevin beaumont’s script)

Timeline

Date Description
Apr 2021 CVE-2021-34473 patched, but not documented.
11 May 2021 CVE-2021-31195 patched and documented
13 Jul 2021 CVE-2021-34473 documented, CVE-2021-34523, CVE-2021-31207 and CVE-2021-31196 patched and documented
30 Aug 2021 First version of this case file
30 Aug 2021 DIVD releases scan script for CVE-2021-31195

More information