ProxyShell

Severity

High

Date

11 August 2021, 21:00:00

Impact

High

Type

Threat/Attack Vector

Multiple vulnerabilities

11 Aug 2021

Microsoft Exchange servers scanned for ProxyShell vulnerability

Description

ProxyShell is the name of three chained vulnerabilities that perform remote code execution, targeting CAS surface (Microsoft Exchange's Client Access Service), running on port 443 in IIS of Microsoft Exchange Servers. The vulnerabilities were disclosed in May and July of this year and presented in the last BlackHat edition. The three vulnerabilities are:
• CVE-2021-34473, Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779).
• CVE-2021-34523, Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779).
• CVE-2021-31207, Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435).

Affected Products

• Microsoft Exchange Server 2019 Cumulative Update 9.
• Microsoft Exchange Server 2013 Cumulative Update 23.
• Microsoft Exchange Server 2019 Cumulative Update 8.
• Microsoft Exchange Server 2016 Cumulative Update 19.
• Microsoft Exchange Server 2016 Cumulative Update 20.
• Microsoft Exchange Server 2013 Cumulative Update 23.

Recommendations

Apply the patches provide in the references.

References