New exploit has been found that can cause Microsoft Exchange servers to be actively exploited. Attackers can use ProxyShell in order to use this exploit.
The three main vulnerabilites are:
- CVE-3032-34473 – Pre-auth Path Confusion leads to ACL Bypass
- CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell backend
- CVE-2021-31207 – Post-auth Arvitrary-File-Write leads to RCE
This vulnerability has been found and demonstrated by researcher Orange Tsai and his colleagues in the DEVCORE Research team at the Pwn20wn contents that was held earlier this year.
He said that these exploits are worse and more vulnerable than the ProxyLogon vulnerability that he also found. Simply because they are more exploitable.
Compared to ProxyLogon:
With ProxyLogon attacks, the attackers needed to know an Exchange administrators mailbox and hardcoded administrator@ to get the exploit to work. With this ProxyShell they dont need to do that in advance, this is why it is more dangerous than previous one.
How to fix Microsoft Exchange ProxyShell vulnerability
Microsoft released a patch in April and May 2021 that was supposed to stop these vulnerabilites, but they failed to assign CVEs to them so that it could soon lead to new problems.
These vulnerabilites can be exploited in various ways, so best way to stay safe against this kind of activity is to use VPN and keep every software and service always up-to-date.
So everyone and every enterprise that is using Microsoft Exchange servers should make sure that the program is up-to-date with the latest patches in order to protect against exploitation.