Executive Summary
CVE-2021-34473 is a critical remote code execution (RCE) vulnerability in Microsoft Exchange Server. This vulnerability is part of the "ProxyShell" exploit chain, which also includes CVE-2021-34523 and CVE-2021-31207. The vulnerability allows an attacker to execute arbitrary code on the affected Exchange Server, potentially leading to full system compromise. This vulnerability has been actively exploited in the wild, making it imperative for organizations to take immediate action to mitigate the risk.
Technical Information
CVE-2021-34473 is a critical vulnerability in Microsoft Exchange Server that allows for remote code execution. The vulnerability exists due to improper validation of access tokens in the Exchange PowerShell service. This flaw allows an attacker to bypass authentication and execute arbitrary commands on the server. The vulnerability is exploited by sending specially crafted requests to the Exchange Server, which then executes the attacker's code.
The vulnerability has a CVSS Score of 9.1, indicating its critical nature. It affects Microsoft Exchange Server 2013, 2016, and 2019. The attack vector is network-based, and the attack complexity is low, meaning that it does not require any special conditions to be met. Additionally, no privileges or user interaction are required for the exploitation of this vulnerability.
The vulnerability is part of the "ProxyShell" exploit chain, which also includes CVE-2021-34523 and CVE-2021-31207. These vulnerabilities together allow an attacker to gain initial access to the Exchange Server, escalate privileges, and execute arbitrary code.
Exploitation in the Wild
CVE-2021-34473 has been actively exploited in the wild. Attackers have been observed scanning for vulnerable Exchange Servers and leveraging this vulnerability as part of ransomware campaigns. The vulnerability is particularly dangerous because it can be exploited without any user interaction or authentication. Indicators of Compromise (IOCs) include unusual network traffic to and from the Exchange Server, unexpected changes in system files, and the presence of malicious scripts or executables on the server.
APT Groups using this vulnerability
While no specific APT groups have been identified in the available data, multiple APT groups have been observed exploiting this vulnerability, including those associated with ransomware campaigns. These groups often target sectors such as government, healthcare, finance, and critical infrastructure across various countries.
Affected Product Versions
The following versions of Microsoft Exchange Server are affected by CVE-2021-34473:
Microsoft Exchange Server 2013: Versions before Cumulative Update 23 (15.0.1497.15)
Microsoft Exchange Server 2016: Versions before Cumulative Update 19 (15.1.2176.12) and Cumulative Update 18 (15.1.2106.13)
Microsoft Exchange Server 2019: Versions before Cumulative Update 8 (15.2.792.10) and Cumulative Update 7 (15.2.721.13)
Workaround and Mitigation
To mitigate the risk of exploitation, organizations should take the following steps:
Patch Management: Ensure that all Microsoft Exchange Servers are updated with the latest security patches provided by Microsoft. This is the most effective way to protect against this vulnerability.
Network Segmentation: Isolate Exchange Servers from the internet and restrict access to only necessary services. This can help limit the attack surface and reduce the risk of exploitation.
Monitoring and Detection: Implement monitoring for unusual activity on Exchange Servers and use intrusion detection systems to identify potential exploitation attempts. Regularly review logs and network traffic for signs of compromise.
Access Controls: Implement strict access controls and multi-factor authentication (MFA) for accessing Exchange Servers. This can help prevent unauthorized access and reduce the risk of exploitation.
References
- CISA - Known Exploited Vulnerabilities Catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- SecPod - Microsoft Exchange Servers Actively Under Exploitation via ProxyShell Vulnerabilities https://www.secpod.com/blog/microsoft-exchange-servers-actively-under-exploitation-via-proxyshell-vulnerabilities/
- Packet Storm Security - Microsoft Exchange ProxyShell Remote Code Execution http://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html
- GitHub - CVE-2021-34473 Scanner by RaouzRouik https://github.com/RaouzRouik/CVE-2021-34473-scanner
- GitHub - Proxyshell Scanner by cyberheartmi9 https://github.com/cyberheartmi9/Proxyshell-Scanner
- GitHub - proxyshell by horizon3ai https://github.com/horizon3ai/proxyshell
- GitHub - CVE-2021-34473 Exchange ProxyShell by je6k https://github.com/je6k/CVE-2021-34473-Exchange-ProxyShell
- GitHub - ProxyShell by kh4sh3i https://github.com/kh4sh3i/ProxyShell
- GitHub - CVE-2021-34473 by p2-98 https://github.com/p2-98/CVE-2021-34473
- GitHub - CVE-2021-34473 by phamphuqui1998 https://github.com/phamphuqui1998/CVE-2021-34473
- Rapid7 - Metasploit Framework Exchange ProxyShell RCE https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb
Rescana is here for you
At Rescana, we understand the critical importance of protecting your organization from cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps you identify, assess, and mitigate vulnerabilities like CVE-2021-34473. We provide comprehensive threat intelligence, real-time monitoring, and actionable insights to help you stay ahead of emerging threats. If you have any questions about this report or any other issue, please feel free to contact us at ops@rescana.com. We are here to help you secure your digital assets and ensure the resilience of your organization.
Comments