Microsoft warns companies to patch these 3 ProxyShell vulnerabilities in Exchange servers before it’s too late

In a security alert, Microsoft released a guidance to prevent the exploitation of the three vulnerabilities that integer ProxyShell, which reside in Exchange deployments. Recently reported, these three flaws were discovered by researcher Orange Tsai and addressed in May.

During her presentation at the Pwn2Own hacking event, Orange Tsai demonstrated the commitment of a vulnerable Exchange server by exploiting these three flaws:

  • CVE-2021-34473: Pre-authentication path confusion that would lead to ACL evasion (patched in April by KB5001779)
  • CVE-2021-34523: Privilege Escalation in the Exchange PowerShell Backend
  • CVE-2021-31207: Arbitrary writing of files after authentication that would lead to remote code execution

While the flaws were addressed months ago, Microsoft didn’t assign a CVE identification key until Julo, making it difficult for organizations running vulnerable deployments to discover the flaws in their networks. That’s why the cybersecurity community has started a campaign to invite Exchange administrators to install the necessary patches.

The issue remains, as Microsoft has confirmed that its on-premises Exchange servers have been under constant attacks related to these flaws: “If you have installed security updates on your Exchange servers, your systems will be protected against these vulnerabilities. Exchange Online customers are also protected, but they must ensure that all Exchange hybrid servers are updated.”

The company adds that users should install at least one of the latest updates to mitigate the risk of proxyshell exploitation. In the report, Microsoft details some factors that could facilitate the exploitation of these flaws, including:

  • The server is running an unsupported CU
  • The server is running security updates for versions prior to May 2021
  • The server is running an older CU, not compatible with the May 2021 mitigations

In addition to the Microsoft report, the Cybersecurity and Infrastructure Security Agency (CISA) warns that multiple hacking groups are actively exploiting these vulnerabilities, not to mention that other security agencies have already detected various exploit attempts in real scenarios, so it is urgent that the updates be implemented immediately.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.