ProxyShell Attacks targeting Microsoft Exchange Servers – CVE-2021-31207, CVE-2021-34473, CVE-2021-34523

Advisory No: TZCERT/SA/2021/08/24

Date of First Release: 24^th August 2021

Source: Microsoft

Software Affected: 

• Microsoft Exchange Server 2019
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2013

Overview:

Microsoft Exchange Server contains remote code execution vulnerabilities as a result of improper input validation. Exploitation attempts leverage the latest line of “ProxyShell” Microsoft Exchange vulnerabilities.

Description:

Vulnerabilities exist in a way Microsoft Exchange Servers handle Uniform Resource Identifier (URI) validation, user-supplied data validation and validation of access token. An attacker can exploit the flaws to bypass ACL controls, elevate privileges and perform unauthenticated, remote code execution.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution:

Microsoft has issued security updates to address the affected products. Users and administrators are advised to apply necessary updates.   

References:

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207
3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473
4. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
5. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523
6. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523