After at the Black Hat conference, experts highlighted the technical details of vulnerabilities that can lead to remote code execution on Microsoft Exchange servers (ProxyShell), cybercriminals rushed to exploit holes in real cyberattacks. This is another reason for everyone to think about timely patching.
Recall that ProxyShell is a common name under which experts have combined three vulnerabilities that allow attackers to remotely execute code on Microsoft Exchange servers. To do this, you need to link all three holes in the attack.
The exploitation, of course, also occurs remotely, via the Client Access Service (CAS) running on port 443. This is a list of three vulnerabilities:
The details of the vulnerabilities at the Black Hat conference were revealed by a researcher from Devcore Principal Security Orange Tsai. In particular, the expert pointed out one of the attacked components in the exploit bundle - the Microsoft Exchange Autodiscover service.
After Tsai's speech, the specialists published an article that provides technical details of the operation of ProxyShell. This arrangement allowed the dark side of the digital space to use a special URL - https [: //] Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi /? & Email=autodiscover/autodiscover.json%3F@foo
Administrators are recommended check the IIS logs for the path "/autodiscover/autodiscover.json" . If it is there, it means that your server was scanned for possible vulnerabilities.
__________________
Recall that ProxyShell is a common name under which experts have combined three vulnerabilities that allow attackers to remotely execute code on Microsoft Exchange servers. To do this, you need to link all three holes in the attack.
The exploitation, of course, also occurs remotely, via the Client Access Service (CAS) running on port 443. This is a list of three vulnerabilities:
- CVE-2021-34473 - leads to ACL bypass (patched in April with KB5001779 update);
- CVE-2021-34523 - Elevation in Exchange PowerShell Backend (Patched in April with KB5001779)
- CVE-2021-31207 - the ability to write to a file with subsequent remote code execution (patched in May with the release of KB5003435).
The details of the vulnerabilities at the Black Hat conference were revealed by a researcher from Devcore Principal Security Orange Tsai. In particular, the expert pointed out one of the attacked components in the exploit bundle - the Microsoft Exchange Autodiscover service.
After Tsai's speech, the specialists published an article that provides technical details of the operation of ProxyShell. This arrangement allowed the dark side of the digital space to use a special URL - https [: //] Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi /? & Email=autodiscover/autodiscover.json%3F@foo
Administrators are recommended check the IIS logs for the path "/autodiscover/autodiscover.json" . If it is there, it means that your server was scanned for possible vulnerabilities.
__________________