News

Microsoft Urges Patching Exchange Server To Avoid ProxyShell Attacks

• By Kurt Mackie
• 08/25/2021

The Exchange team at Microsoft posted an announcement on Wednesday acknowledging "ProxyShell" threats and urging organizations to keep Exchange Server up to date with the latest cumulative updates (CUs) and security updates (SUs).

ProxyShell is a "Critical"-rated vulnerability that can enable remote code execution on systems. It's actually three vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that are chained together for attack purposes. DevCore security researcher Orange Tsai demonstrated his ProxyShell findings earlier this month during the BlackHat security conference.

Other security researchers recently described seeing ProxyShell getting used in ransomware attacks. Last week, the U.S. Cybersecurity and Infrastructure Security Agency issued an urgent warning that ProxyShell exploits were happening.

Install the May or July Security Updates
Microsoft's announcement contended that Exchange Server users were protected against ProxyShell attacks if the May or July SUs are installed:

If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. Exchange Online customers are also protected (but must make sure that all hybrid Exchange servers are updated).

The Exchange Online service isn't directly subject to ProxyShell. However, Microsoft's subtle reminder above about "hybrid Exchange servers" is actually a warning to Exchange Online users. Oddly, Exchange Online users need to have a single Exchange Server instance installed to manage the Exchange Online service.

The requirement to use Exchange Server with the Exchange Online service is an odd one. It also puts Exchange Online users at risk for the ProxyShell attacks.

Unprotected Circumstances
The Exchange team also indicated circumstances where Exchange Server implementations would not be protected against ProxyShell attacks. They include:

• The server is running an older, unsupported CU;
• The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or
• The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.

Microsoft releases CUs on a quarterly basis, but it discovered in early March, when out-of-band Exchange server patches were released in response to "Hafnium" ProxyLogon attacks, that lots of organizations haven't kept pace.

To assist organizations against ProxyLogon attacks unveiled in March, Microsoft automated mitigations by releasing an Exchange On-Premises Mitigation Tool (EOMT), which was announced on March 16. The tool worked with Exchange Server implementations that had unsupported CUs installed.

ProxyLogon was the inspiration for security researcher Orange Tsai to discover ProxyShell. However, he described ProxyShell as just the "tip of the iceberg" in terms of other possible Exchange Server attack scenarios.

In general, the Exchange team's Wednesday announcement advised that "any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities."

The announcement pointed organizations to this "Why Exchange Server Updates Matter" blog post from April. It makes a good case for time-strapped IT pros to keep Exchange Server patched in an up-to-date manner. The post references a tool for checking an Exchange Server's patch status, as well as a wizard for targeting cumulative update installations.