2 min

ProxyShell refers to a trio of security flaws that have already been addressed by Microsoft. However, not all instances are patched yet. Attackers are scanning the internet for Microsoft Exchange Server instances without patches for the ProxyShell vulnerability.

Researchers have sounded the alarm about this with the hopes that users will patch their respective systems.

The technical details of the bug were disclosed last week, by Orange Tsai of Devcore security, at the Black Hat 2021 conference. Tsai and his teammates discovered the bug during the Pwn2Own 2021 hacking contest held earlier this year, in April.

Microsoft Exchange Server

Microsoft Exchange server, a long-time target of state-sponsored hacker groups, is an email solution that if breached, offers access to confidential secrets belonging to enterprises and government agencies.

The three ProxyShell security flaws have been assigned tracking numbers CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. When used together, they can enable a threat actor to perform remote code execution (RCE) without authentication on unpatched servers.

Orange Tsai said that the vulnerabilities can be remotely exploited Through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.  

The threat is real

Microsoft patched CVE-2021-34523 and CVE-2021-34473 in April with a cumulative update (KB5001779) and about a month later patched the last of the flaws (CVE-2021-31207).

Tsai explained in his talk last week that one of the components of the ProxyShell attack chain, targets the Microsoft Exchange Autodiscover service introduced by the software giant to make it easy for mail client software to auto-configure itself with minimal user input.

Researchers PeterJson and Jang published a blog post detailing how the ProxyShell exploit works by reproducing it after watching the Tsai talk. Another researcher, Kevin Beaumont, reported that a threat actor probed his Microsoft Exchange server that he set up as a honeypot.