Microsoft Exchange Proxy Vulnerabilities

Earlier this month (August 2021), a security researcher named Orange Tsai discussed the details of a series of new Microsoft Exchange exploits at the annual BlackHat USA 2021 security conference.

Tsai published a total of eight vulnerabilities, one of which discovered in January 2021 was described as potentially “the most severe vulnerability in the history of Microsoft Exchange”.

In March, the vulnerability was one of four patched by Microsoft that was being actively exploited by an APT known as “Hafnium”. Tsai dubbed the exploit ProxyLogon, because it leveraged exploits in both the Exchange Proxy architecture and the Logon mechanism.

In his remote address to BlackHat USA, Tsai announced that ProxyLogon formed “a whole new attack surface” as he proceeded to detail the vulnerabilities that he had discovered.

These vulnerabilities cover server-side, client-side and cryptographic bugs, and can be broken down into three powerful exploit chains:

1. ProxyLogon, the well-known pre-auth Remote Code execution chain exploited in March (CVE-2021-26855, CVE-2021-27065)
2. ProxyOracle, a plaintext password recovery attacking chain (CVE-2021-31196, CVE-2021-31195)
3. ProxyShell, a pre-auth RCE that earned Tsai an award (and $200,000) at this year’s Pwn2Own contest (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

Tsai responsibly disclosed these bugs to Microsoft, which has issued patches. Two additional bugs disclosed by Tsai (CVE-2021-33768) were patched by Microsoft in the more recent July 2021 Security Updates.

Whilst Tsai did not release a proof-of-concept (PoC) exploit for ProxyShell vulnerabilities, it appears two other security researchers have developed and published a working exploit based on the information in the BlackHat presentation.

Sentrium can assist with your security needs, view our penetration testing services for more details or contact us today.