CVE-2021-26855:Microsoft Exchange Server SSRF Vulnerability (ProxyLogon) - CVE-2021-26855

splash
Back

Description Preview

CVE-2021-26855 is a critical Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server that allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange server. This vulnerability is part of the "ProxyLogon" attack chain that enables remote code execution when combined with other vulnerabilities. It affects multiple versions of Microsoft Exchange Server and has been actively exploited in the wild.

Overview

The vulnerability exists in the Exchange Server's Unified Messaging service and allows attackers to bypass authentication and impersonate the Exchange server. By exploiting this SSRF vulnerability (CWE-918), attackers can forge requests that appear to originate from the server itself, which can lead to unauthorized access to sensitive information. When chained with other vulnerabilities (like CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), attackers can achieve remote code execution on vulnerable Exchange servers. This vulnerability has been widely exploited by multiple threat actors, including nation-state groups, to deploy web shells, steal data, and establish persistent access to victim environments.

Remediation

  1. Apply the security updates released by Microsoft immediately:

    • For Exchange Server 2013: KB5001755
    • For Exchange Server 2016 and 2019: KB5001779
    • For Exchange Server 2010: KB5001746

  2. If immediate patching is not possible, implement Microsoft's recommended mitigations:

    • Implement URL Rewrite Rules to block known attack patterns
    • Restrict untrusted connections to Exchange Server
    • Use Microsoft Safety Scanner to detect potential compromises

  3. After patching:

    • Run Microsoft's Exchange On-premises Mitigation Tool (EOMT)
    • Scan for indicators of compromise using Microsoft's detection scripts
    • Check for web shells or unauthorized modifications to Exchange server files
    • Review authentication logs for suspicious activity
    • Consider resetting credentials for accounts with administrative access to Exchange

  4. Long-term recommendations:

    • Consider migrating to Exchange Online to benefit from cloud security features
    • Implement network segmentation for on-premises Exchange servers
    • Deploy advanced threat protection solutions
    • Regularly apply security updates as they become available

References

  1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
  2. ProxyLogon Exploit Information: http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
  3. SSRF and Arbitrary File Write Exploit: http://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html
  4. Unauthenticated Email Download Exploit: http://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html
  5. ProxyLogon Collector Tool: http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
  6. Microsoft's ProxyLogon Response Center: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
  7. CISA Alert on Exchange Vulnerabilities: https://www.cisa.gov/uscert/ncas/alerts/aa21-062a

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Mar 3, 2021
CISA KEV Date
Nov 3, 2021
245days early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  3. Public Administration: Low
    Public Administration
  4. Finance and Insurance: Low
    Finance and Insurance
  5. Transportation & Warehousing: Low
    Transportation & Warehousing
  6. Retail Trade: Low
    Retail Trade
  7. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  8. Educational Services: Low
    Educational Services
  9. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  10. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  11. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  12. Utilities: Low
    Utilities
  13. Information: Low
    Information
  14. Accommodation & Food Services: Low
    Accommodation & Food Services
  15. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  16. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  17. Construction: Low
    Construction
  18. Mining: Low
    Mining
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background