CVE-2021-27065:Microsoft Exchange Server Post-Authentication Arbitrary File Write Vulnerability (ProxyLogon)

splash
Back

Description Preview

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Microsoft Exchange Server. This vulnerability is part of the ProxyLogon attack chain that allows attackers to write files to any path on the server after authentication. When combined with other vulnerabilities like CVE-2021-26855 (pre-authentication SSRF vulnerability), attackers can achieve remote code execution on vulnerable Exchange servers.

Overview

This vulnerability affects Microsoft Exchange Server and is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability allows an authenticated attacker to write files to arbitrary locations on the server. It is part of a chain of vulnerabilities known collectively as ProxyLogon, which has been actively exploited in the wild.

The vulnerability exists in the Unified Messaging service of Exchange Server. By sending specially crafted requests, an attacker can write files to any path on the server. This can be leveraged to write web shells or other malicious code that can be executed on the server, leading to complete system compromise.

Affected products include:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Remediation

  1. Apply the security updates released by Microsoft immediately. Microsoft has released out-of-band security updates for all affected versions of Exchange Server.

  2. If you cannot apply patches immediately, implement the following mitigations:

    • Restrict untrusted connections to Exchange Server
    • Use a firewall to prevent external access to Exchange Server ports 443, 80, 25, and 465
    • Disconnect vulnerable Exchange servers from the internet

  3. Check for indicators of compromise:

    • Look for web shells in the following paths:
      • C:\inetpub\wwwroot\aspnet_client\
      • C:\inetpub\wwwroot\aspnet_client\system_web\
      • The Exchange Server installation path
    • Check for suspicious files with extensions like .aspx, .ashx, .asmx, or .php

  4. If compromise is suspected, consider:

    • Rebuilding Exchange servers from known good sources
    • Resetting credentials for any accounts with administrative access to Exchange
    • Conducting a full security audit of your environment

References

  1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065
  2. ProxyLogon Remote Code Execution Exploit: http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
  3. ProxyLogon Collector Tool: http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
  4. Microsoft Security Blog on Exchange Server Vulnerabilities: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
  5. CISA Alert on Exchange Server Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-062a

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Mar 3, 2021
CISA KEV Date
Nov 3, 2021
245days early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  3. Public Administration: Low
    Public Administration
  4. Finance and Insurance: Low
    Finance and Insurance
  5. Transportation & Warehousing: Low
    Transportation & Warehousing
  6. Retail Trade: Low
    Retail Trade
  7. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  8. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  9. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  10. Educational Services: Low
    Educational Services
  11. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  12. Utilities: Low
    Utilities
  13. Information: Low
    Information
  14. Accommodation & Food Services: Low
    Accommodation & Food Services
  15. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  16. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  17. Construction: Low
    Construction
  18. Mining: Low
    Mining
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background