Microsoft Exchange - Remote Code Execution (ProxyLogon - CVE-2021-26855, CVE-2021-27065) (CVE-2021-26855, CVE-2021-27065)
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
Microsoft Exchange is vulnerable to a Server Side Request Forgery attack, affecting the Proxylogon endpoint, that can be used by an unauthenticated malicious attacker to bypass the authentication and impersonating as the admin. The root cause of this vulnerability is that the requests made to the Exchange backend are performed on behalf of the Exchange service, thus they are authenticated and contain access tokens. This allows an unauthenticated malicious attacker to perform authenticated crafted requests to the Exchange backend with administrative privileges. Correlated with CVE-2021-27065, which is a post-authentication arbitrary file write vulnerability, the attacker can write a file to any path on the server. Therefore, it can lead to an unauthenticated Remote Code Execution on the Exchange server, an attack chain that was named ProxyLogon.
- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.
- Exploit capabilities
Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
- Recommendation
Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.
- References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/- Codename
- ProxyLogon
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Mar 2021
- Published at
- Updated at
- Software Type
- Email server
- Vendor
- Microsoft
- Product
- Exchange Server