^{CVE-2021-34473:}Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyShell)

Overview

This vulnerability (CVE-2021-34473) is one of three vulnerabilities that comprise the ProxyShell exploit chain (along with CVE-2021-34523 and CVE-2021-31207). When exploited, it allows attackers to bypass pre-authentication access control and impersonate arbitrary users on the Exchange server. The vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019. The root cause is improper validation of URL paths in the Exchange PowerShell backend, which enables server-side request forgery (SSRF) attacks. This vulnerability has a CVSS base score of 9.8 (Critical) and has been actively exploited in the wild since its disclosure.

Remediation

1. Apply the July 2021 security updates for Microsoft Exchange Server immediately.
2. If you cannot update immediately, implement URL Rewrite mitigation as a temporary measure.
3. Monitor for indicators of compromise, including unusual PowerShell commands or web shell deployments.
4. Implement network segmentation to limit access to Exchange servers.
5. Enable Extended Protection for Authentication on all Exchange servers.
6. Ensure all Exchange servers are properly configured with the latest security recommendations from Microsoft.
7. Consider implementing additional security controls such as a web application firewall configured to detect and block exploitation attempts.

References

1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473
2. Zero Day Initiative Advisory: https://www.zerodayinitiative.com/advisories/ZDI-21-821/
3. Exploit Details: http://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html
4. Microsoft Exchange Server Security Updates: https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates
5. CISA Alert on ProxyShell Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-259a