Skip to the content.

DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle

Our reference DIVD-2021-00022
Case lead Frank Breedijk
Researcher(s)
CVE(s)
Product Microsoft Exchange on premise
Versions n/a
Recommendation Apply the patches released in April and Juli
Patch status Full patched
Status Open
Last modified 20 Jun 2022 07:35

Summary

Microsoft Exchange has a number of vulnerabilities that allow a lot of opportunity for attack. Two of these attacks are ProxyShell, which allows Remote Code Execution and ProxyOracle which allows the recovery of the plain text password of a user by tricking them to click a single link.

We noticed that even tough patches have been released in April and July, there are still a lot of Exchange servers online without the patches.

What you can do

If you run your own Exchange server, make sure it is patched:

If you are having trouble getting your Exchange server patched, we suggest that it might we worthwhile to look into Office 365.

What we are doing

We have made an NSE script for ProxyOracle available via out GitHub account. We are going to scan internet facing Exchange servers for ProxyOracle and ProxyShell (via Kevin beaumont’s script)

Timeline

Date Description
13 Apr 2021 CVE-2021-34473 was patched in this released, but not documented.
11 May 2021 CVE-2021-31195 patched and documented
13 Jul 2021 CVE-2021-34473 documented, CVE-2021-34523, CVE-2021-31207, and CVE-2021-31196 patched and documented
30 Aug 2021 First version of this case file
30 Aug 2021 DIVD releases scan script for CVE-2021-31195
gantt title DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00022 - Exchange ProxyShell and ProxyOracle (still open) :2021-08-30, 2022-08-17 section Events CVE-2021-34473 was patched in this released, but not documented. : milestone, 2021-04-13, 0d CVE-2021-31195 patched and documented : milestone, 2021-05-11, 0d CVE-2021-34473 documented, CVE-2021-34523, CVE-2021-31207, and CVE-2021-31196 patched and documented : milestone, 2021-07-13, 0d First version of this case file : milestone, 2021-08-30, 0d DIVD releases scan script for CVE-2021-31195 : milestone, 2021-08-30, 0d

More information