CVE-2021-34473:Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyShell)

splash
Back

Description Preview

CVE-2021-34473 is a critical remote code execution vulnerability in Microsoft Exchange Server. This vulnerability is part of the ProxyShell attack chain, which allows an unauthenticated attacker to execute arbitrary code on affected Exchange servers through server-side request forgery (SSRF). The vulnerability exists in the way Exchange handles URL parsing and can be exploited to bypass authentication and access backend resources.

Overview

This vulnerability (CVE-2021-34473) is one of three vulnerabilities that comprise the ProxyShell exploit chain (along with CVE-2021-34523 and CVE-2021-31207). When exploited, it allows attackers to bypass pre-authentication access control and impersonate arbitrary users on the Exchange server. The vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019. The root cause is improper validation of URL paths in the Exchange PowerShell backend, which enables server-side request forgery (SSRF) attacks. This vulnerability has a CVSS base score of 9.8 (Critical) and has been actively exploited in the wild since its disclosure.

Remediation

  1. Apply the July 2021 security updates for Microsoft Exchange Server immediately.
  2. If you cannot update immediately, implement URL Rewrite mitigation as a temporary measure.
  3. Monitor for indicators of compromise, including unusual PowerShell commands or web shell deployments.
  4. Implement network segmentation to limit access to Exchange servers.
  5. Enable Extended Protection for Authentication on all Exchange servers.
  6. Ensure all Exchange servers are properly configured with the latest security recommendations from Microsoft.
  7. Consider implementing additional security controls such as a web application firewall configured to detect and block exploitation attempts.

References

  1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473
  2. Zero Day Initiative Advisory: https://www.zerodayinitiative.com/advisories/ZDI-21-821/
  3. Exploit Details: http://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html
  4. Microsoft Exchange Server Security Updates: https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates
  5. CISA Alert on ProxyShell Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-259a

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Jul 14, 2021
CISA KEV Date
Nov 3, 2021
112days early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  2. Manufacturing: Low
    Manufacturing
  3. Finance and Insurance: Low
    Finance and Insurance
  4. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  5. Public Administration: Low
    Public Administration
  6. Retail Trade: Low
    Retail Trade
  7. Transportation & Warehousing: Low
    Transportation & Warehousing
  8. Educational Services: Low
    Educational Services
  9. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  10. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  11. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  12. Accommodation & Food Services: Low
    Accommodation & Food Services
  13. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  14. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  15. Construction: Low
    Construction
  16. Information: Low
    Information
  17. Mining: Low
    Mining
  18. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background