The goal of this case study is to summarize technical details of the ProxyLogon vulnerability alongside with other vulnerabilities that were used in chain to perform remote code execution in early 2021 Exchange hack. In addition, we have reproduced and described steps resulting in successful exploitation of Exchange Server 2016 CU16. Exchange administrators and security practitioners can use this guide to test their deployments or generate logs they can further analyze to gather IOCs and compare it with logs from their live systems.
Introduction
ProxyLogon means chaining two of the vulnerabilities (CVE-2021-26855 and CVE-2021-27065) together for exploitation.
- A server-side request forgery (SSRF ) vulnerability in Exchange CVE-2021-26855 which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. Attacker can try to authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Which versions of Microsoft Exchange are affected?
Affected versions of Exchange Servers:
- 2013 < 15.00.1497.012
- 2016 CU18 < 15.01.2106.013
- 2016 CU19 < 15.01.2176.009
- 2019 CU7 < 15.02.0721.013
- 2019 CU8 < 15.02.0792.010
Mitigation Strategies
The Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive and alert addressing several critical vulnerabilities recently found in Microsoft Exchange products. As a result, they recommended install the security patch as a solution.
This method is the only complete mitigation and has no impact to functionality. The following link has details on how to install the security update: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019:
We recommend implementing an IIS Re-Write Rule to filter malicious HTTPS requests, and disabling:
- Unified Messaging (UM)
- Exchange Control Panel (ECP) VDir
- Offline Address Book (OAB) VDir
These mitigations can be applied or rolled back using the ExchangeMitigations.ps1 script. Also, we recommend performing triage and in-depth analysis of logs. This script has some known impacts on Exchange Server functionality. Mitigations are effective against the attacks we have seen in the wild so far. Nevertheless, these may not be a complete solution for all possible exploitation methods of these vulnerabilities.
This will not evict an adversary who has already compromised a server. Therefore, you should perform further investigation using threat hunting. Until fully patched, these mitigations should only serve as a temporary solution. In addition, we recommend applying all the mitigations at once.
To learn more, download our case study on ProxyLogon Vulnerability Analysis.