CVE-2021-26855:
Microsoft Exchange Server SSRF Vulnerability (ProxyLogon) - CVE-2021-26855
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Mar 3, 2021
- CISA KEV Date:Nov 3, 2021
- Industries Affected:20
245 DaysThreat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Microsoft Exchange Server SSRF Vulnerability (ProxyLogon) - CVE-2021-26855
Overview
The vulnerability exists in the Exchange Server's Unified Messaging service and allows attackers to bypass authentication and impersonate the Exchange server. By exploiting this SSRF vulnerability (CWE-918), attackers can forge requests that appear to originate from the server itself, which can lead to unauthorized access to sensitive information. When chained with other vulnerabilities (like CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), attackers can achieve remote code execution on vulnerable Exchange servers. This vulnerability has been widely exploited by multiple threat actors, including nation-state groups, to deploy web shells, steal data, and establish persistent access to victim environments.
Remediation
- 1. Apply the security updates released by Microsoft immediately:
- For Exchange Server 2013: KB5001755
- For Exchange Server 2016 and 2019: KB5001779
- For Exchange Server 2010: KB5001746
- 2. If immediate patching is not possible, implement Microsoft's recommended mitigations:
- Implement URL Rewrite Rules to block known attack patterns
- Restrict untrusted connections to Exchange Server
- Use Microsoft Safety Scanner to detect potential compromises
- 3. After patching:
- Run Microsoft's Exchange On-premises Mitigation Tool (EOMT)
- Scan for indicators of compromise using Microsoft's detection scripts
- Check for web shells or unauthorized modifications to Exchange server files
- Review authentication logs for suspicious activity
- Consider resetting credentials for accounts with administrative access to Exchange
- 4. Long-term recommendations:
- Consider migrating to Exchange Online to benefit from cloud security features
- Implement network segmentation for on-premises Exchange servers
- Deploy advanced threat protection solutions
- Regularly apply security updates as they become available
References
- 1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
- 2. ProxyLogon Exploit Information: http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
- 3. SSRF and Arbitrary File Write Exploit: http://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html
- 4. Unauthenticated Email Download Exploit: http://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html
- 5. ProxyLogon Collector Tool: http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
- 6. Microsoft's ProxyLogon Response Center: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
- 7. CISA Alert on Exchange Vulnerabilities: https://www.cisa.gov/uscert/ncas/alerts/aa21-062a
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Mar 3, 2021
- CISA KEV Date:Nov 3, 2021
- Days Early:245 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
