2023.10 - ProxyShell

MS Exchange Server ProxyShell

1.Overview :
The ProxyShell vulnerability comprises SSRF (Server Side Request Forgery) and RCE (Remote Code Execute) vulnerabilities that can occur in MS Exchange Server, consisting of multiple CVEs.

2.Attack Process :
This is an analysis of how three CVEs related to the ProxyShell vulnerability are interconnected and used.

1)CVE-2021-34473
This vulnerability allows access to the backend of an MS Exchange Server without authentication. Leveraging the ProxyLogon vulnerability, also known as CVE-2021-26855, attackers can access the restricted backend services without authentication. Attackers exploit this to utilize backend services or execute malicious code or programs in conjunction with other vulnerabilities.

2)CVE-2021-34523
This vulnerability grants PowerShell access within the MS Exchange Server to a specific mail account. Exploiting CVE-2021-34473 allows access with NT AUTHORITY\SYSTEM privileges. By creating an arbitrary token using a non-existent mail address and inserting it into the X-Rps-CAT parameter, the mail account is used with Exchange Admin privileges to access PowerShell. Attackers leverage this to access PowerShell and execute arbitrary commands.

3)CVE-2021-31207
This vulnerability allows the transmission of a webshell via SMTP or the modification of a mail draft document to contain malicious commands in MS Exchange Server's backend. After uploading the webshell, commands are sent via the WSMAN protocol to PowerShell to execute the webshell. This enables arbitrary command execution through the uploaded webshell.

3.Response :
In the case of ProxyShell, which exploits the SSRF vulnerability CVE-2021-34473 to execute other vulnerabilities, Microsoft recommends patching MS Exchange Server to versions 2013 Cumulative Update 23 or later, 2016 Cumulative Update 19 or later, and 2019 Cumulative Update 8 or later to prevent this vulnerability.

Our AIWAF product detects attacks exploiting this vulnerability using the "MS Exchange Server RCE 2" pattern.

4.Conclusion :
The ProxyShell vulnerability in MS Exchange Server involves a combination of various vulnerabilities and gained prominence, especially with ransomware groups like BlackCat exploiting the vulnerabilities. It has become a well-known vulnerability associated with threatening attacks such as internal information leakage and ransomware attacks, necessitating updates to the affected services.

Our AIWAF product has developed patterns to address the ProxyShell vulnerability and will continue to respond promptly to any new evasion methods or emerging vulnerabilities.