Microsoft this week published guidance about three vulnerabilities referred to collectively as ProxyShell days after security researchers at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were actively trying to exploit them.
The ProxyShell vulnerabilities, which are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, could allow hackers to run arbitrary code on a vulnerable machine without authentication. The first two flaws were fixed in April, while the third received a patch in May.
Orange Tsai, a security researcher at consulting firm DEVCORE exploited the ProxyShell vulnerabilities to target a Microsoft Exchange server during the Pwn2Own 2021 hacking contest, but technical details were made public only a few weeks ago, at the Black Hat and DEF CON cybersecurity conferences. Earlier, Orange Tsai had identified the ProxyLogon and ProxyOracle vulnerabilities in Exchange servers.
Last week, cybersecurity experts unearthed more than 1,900 unpatched systems that were exploited, and CISA issued a warning on attacks targeting Exchange servers impacted by the ProxyShell vulnerabilities.
In a blog post on Wednesday, Microsoft urged the customers to install patches as soon as possible, noting that only systems without the already issued patches are vulnerable to the attack. The company also advised users to install the latest set of updates on their Exchange servers, which would ensure they are shielded from any compromise attempts.
“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities,” Microsoft stated.
According to the advisory, systems without either security updates are vulnerable to attacks. Furthermore, the company pointed out, Exchange servers should always be kept updated with the latest available Cumulative Update (CU) and Security Update (SU). Furthermore, Exchange servers are vulnerable if the server is running an older, unsupported CU; or those running older, unsupported CUs that have the March 2021 mitigations applied.
“In all of the above scenarios, you must install one of the latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities,” the company added.