kras99 - stock.adobe.com

Microsoft finally issues ProxyShell security advisory

The ProxyShell advisory includes a call to patch, as well as details on which Exchange servers are vulnerable. In short: Those without the May security update are unprotected.

Microsoft issued an advisory Wednesday regarding the ProxyShell set of vulnerabilities -- four days after CISA warned of exploitation, and three months after the vulnerabilities were patched.

ProxyShell, which refers to a set of three vulnerabilities affecting Microsoft Exchange Server, gained notoriety this month following a Black Hat 2021 session in which Devcore researcher Orange Tsai showcased the vulnerabilities and put a spotlight on security weaknesses in Exchange. He called ProxyLogon, the now-infamous vulnerability disclosed in March, "the tip of the iceberg."

ProxyShell's three vulnerabilities include CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207; chained together they allow for remote code execution and escalation of privileges, and two of the three vulnerabilities are considered critical. The Cybersecurity and Infrastructure Security Agency (CISA) warned Saturday that the flaws were being exploited by threat actors.

Microsoft's Wednesday advisory provides specific details regarding who is vulnerable to ProxyShell. The post explains that an Exchange server is vulnerable if it is not running a Cumulative Update (CU) with at least the May Security Update (SU). CVE-2021-34473 and CVE-2021-34523 were patched in April and disclosed last month. CVE-2021-31207 was patched and disclosed in May.

The post emphasizes that the Microsoft Exchange On-Premises Mitigation Tool released following reports of ProxyLogon attacks in March do not protect against these new vulnerabilities, and that those who last patched in March are no longer fully protected.

A recent Shodan scan of 240,000 internet-facing Exchange servers showed nearly 50,000 that were vulnerable to ProxyShell.

"You must install one of the latest supported CUs and all applicable SUs to be protected," the post reads. "Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities."

Security researcher Kevin Beaumont published an article to his Medium site last Saturday detailing recent exploits and criticizing Microsoft's ProxyShell messaging, calling it "knowingly awful." This week's episode of the Risk & Repeat podcast discusses Microsoft's messaging, as well as recent ProxyShell developments.

A Microsoft spokesperson shared the following statement with SearchSecurity.

"We continually work with customers to reinforce the importance of staying up to date and installing all security patches as soon as possible as part of a best practice approach to security," the statement read. "After increased researcher chatter last week, we released additional guidance to reinforce those best practices."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Microsoft zero-day flaw exploited in the wild

ProxyShell attacks ramping up on unpatched Exchange Servers

Dig Deeper on Application and platform security