ProxyShell vs. ProxyLogon: What's the difference?

ProxyLogon

Orange Tsai, principal security researcher at Devcore, is credited with discovering the ProxyLogon exploit. He described it as possibly being the most severe vulnerability in the history of Microsoft Exchange.

ProxyLogon is the name that was given to Microsoft vulnerability number CVE-2021-26855. The ProxyLogon attack can be used against unpatched mail servers running Microsoft Exchange Server 2013, 2016 or 2019 that are set up to receive untrusted connections from the outside world. This enables threat actors to execute commands on unpatched, on-premises Exchange Servers by sending commands across Port 443. ProxyLogon is known as a pre-authenticated vulnerability. This means an attacker does not need to log on or complete any sort of authentication process to execute code remotely.

Read more here about port numbers.

The best thing that organizations can do to protect themselves against this exploit is keep their systems updated with the latest patches. They should also avoid making Exchange Server directly accessible from the internet.

ProxyShell

The ProxyShell exploit was discovered more recently than ProxyLogon. ProxyShell is an attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

Although ProxyShell is a completely different exploit than ProxyLogon, many security researchers consider ProxyLogon to be the genesis of ProxyShell. ProxyLogon acted as something of a proof of concept that eventually led to the creation of ProxyShell.

ProxyShell targets on-premises Exchange Servers running Exchange Server 2013, 2016 or 2019. The threat specifically targets Exchange Client Access Servers -- or CAS servers, as Microsoft often calls them. Microsoft initially introduced CAS servers as front-end servers to protect Exchange mailbox servers.

The idea was that placing mailbox servers behind one or more client access servers kept mailbox servers from being directly accessible from the internet. But the ProxyShell exploit takes advantage of vulnerabilities that exist within Client Access Servers, using them as a tool to remotely execute code on the CAS servers. Some attackers also use the ProxyShell exploit to plant ransomware on vulnerable systems.

Kevin Beaumont, senior threat intelligence analyst at Microsoft, described the ProxyShell vulnerabilities as being worse than ProxyLogon. He said they are more exploitable because most organizations haven't patched, and some threat actors who are exploiting the ProxyShell vulnerabilities are using them as a tool for planting and executing LockFile ransomware.

Attackers know that most Microsoft Exchange Client Access Servers are accessible from the internet. They also know that client access servers are accessible over TCP Port 443. This makes it easy for threat actors to connect to a CAS server and run some simple tests to see if the server is vulnerable to the ProxyShell exploits.

The best defense against ProxyShell is to make sure that Exchange Servers are up to date with the latest Microsoft security patches. Although ProxyShell specifically targets client access servers, it is equally important to keep mailbox servers up to date with the latest patches.