DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle
|Case lead||Frank Breedijk|
|Product||Microsoft Exchange on premise|
|Recommendation||Apply the patches released in April and Juli|
|Patch status||Full patched|
|Last modified||11 Oct 2022 16:50|
Microsoft Exchange has a number of vulnerabilities that allow a lot of opportunity for attack. Two of these attacks are ProxyShell, which allows Remote Code Execution and ProxyOracle which allows the recovery of the plain text password of a user by tricking them to click a single link.
We noticed that even tough patches have been released in April and July, there are still a lot of Exchange servers online without the patches.
What you can do
If you run your own Exchange server, make sure it is patched:
- Exchange Server 2019 as least Cumulative update 9 or 10
- Exchange Server 2016 as least Cumulative update 20 or 21
- Exchange Server 2013 as least Cumulative update 23
If you are having trouble getting your Exchange server patched, we suggest that it might we worthwhile to look into Office 365.
What we are doing
We have made an NSE script for ProxyOracle available via out GitHub account. We are going to scan internet facing Exchange servers for ProxyOracle and ProxyShell (via Kevin beaumont’s script)
For us this case has ended, anyone still vulnerable to these issues over a year after patches were made available will be notified of this together with case 2022-00054.
|13 Apr 2021||CVE-2021-34473 was patched in this released, but not documented.|
|11 May 2021||CVE-2021-31195 patched and documented|
|13 Jul 2021||CVE-2021-34473 documented, CVE-2021-34523, CVE-2021-31207, and CVE-2021-31196 patched and documented|
|30 Aug 2021||First version of this case file|
|30 Aug 2021||DIVD releases scan script for CVE-2021-31195|
|10 Oct 2022||Closing this case|
- A New Attack Surface on MS Exchange Part 2 - ProxyOracle! by DevCore
- ProxyShell vulnerabilities and your Exchange Server by the Microsoft Exchange Team