Microsoft Issues Guidance on ProxyShell Vulnerabilities

Microsoft on Wednesday warned Exchange customers that their deployments are exposed to attacks exploiting the ProxyShell vulnerabilities, unless the adequate patches have been installed.

The ProxyShell bugs, which are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, can be chained to run arbitrary code without authentication. The first two bugs were patched in April, while the third received a fix in May.

Researchers with security consulting firm DEVCORE exploited the security holes at the 2021 Pwn2Own hacking contest, but technical details were made public only a few weeks ago, at the Black Hat and DEF CON cybersecurity conferences.

Soon after, the first scans for vulnerable Exchange servers commenced, and the first attacks targeting the exposed servers – over 30,000 of them – were also observed.

Last week, security researchers identified more than 1,900 unpatched systems that were compromised, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on attacks targeting Exchange servers affected by the ProxyShell flaws.

In a blog post on Wednesday, Microsoft underlined the importance of installing patches in a timely manner, noting that only systems without the already issued fixes are susceptible to compromise.

“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities,” the tech giant notes.

Systems without either security updates, the company says, are vulnerable to attacks. Furthermore, the company pointed out, Exchange servers should always be kept updated with the latest available Cumulative Update (CU) and Security Update (SU).

Vulnerable Exchange servers, Microsoft notes, are those running older, unsupported CUs, those running SUs for older, unsupported versions of Exchange released in March 2021, or those running older, unsupported CUs that have the March 2021 mitigations applied.

“In all of the above scenarios, you must install one of the latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities,” the company says.

The tech giant recommends that all customers install the latest set of updates on their Exchange servers, which would ensure they are protected from any compromise attempts.

Over the weekend, similar patching recommendations were issued by Rob Joyce, director of cybersecurity at the NSA, who pointed out that the number of attacks targeting Exchange servers is surging.

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

Related: Over 80,000 Exchange Servers Still Affected by Actively Exploited Vulnerabilities