About

Unpatched Exchange Servers vulnerable to remote shell vulnerability

All the on-premise Microsoft exchange servers ought to have been patched with the May update, that was released by Microsoft on 11th May, 2021. Unpatched exchange servers are subject of a fresh zero-day attack that strives to install remotely executable web shell on the Exchange servers. Microsoft’s hosted exchange servers for the Exchange online service offerings are already patched, and largely unaffected with this latest attack on the Exchange.

Huntress Lab, one of the corporate managed IT security companies, brought out a report of a large number of on-premise MS-Exchange servers that are compromised with remote shell execution vulnerability. These vulnerabilities were first found in April 2021 by Orange Tsai. Subsequent to the findings, all three vulnerabilities were patched in April 2021 through independent patches; and were finally resolved through a May 11 update for the Exchange servers. This update was released for Exchange admins on 11th May, 2021. Exchange servers patched with the May update are good in terms of closing the vulnerability gaps or resolving the security threats on the Exchange. The May update is also cumulative and supersedes the patches released earlier in the month of April.

Microsoft has stated that over 92% of Exchange servers are compliant and have resolved the vulnerabilities of remote shell execution through a set of April patches or the May update. This still leaves a lot many on-premise Exchange servers that are unpatched and still vulnerable to zero-day attacks to plant remotely executed web shells. Huntress Labs ran their tests, and found that five different web shells were seen planted on 190 Exchange servers. These exchange servers had remained unpatched, and have been compromised with remotely executable web shells. Potentially, they have become targets and carriers of malicious pay loads, including ransomware.

Nearly 1900 exchange servers remained unpatched at the time of Huntress's original report being published. This was on 21st August. 

Subsequent to this finding, another update tells us that there are 1764 Exchange servers that are still unpatched. This is as per an update of 23rd August.

164 Exchange servers have been compromised or carry the web shell exploits due to fresh zero-day attacks.

The following IP addresses have been found to be participants in the zero-day attacks on the unpatched Exchange server:

37.221.115[.]68
45.144.30[.]18
84.17.46[.]174
116.203.201[.]159
116.203.201[.]159
203.184.132[.]186
203.184.132[.]186

You may choose to block or null-route this as per your convenience.

To get latest updates, follow Huntress' study on this link 

Exchange Vulnerability

Back in April, Orange Tsai uncovered security gaps in the MS Exchange servers that allowed unauthenticated users to deploy remote proxyshells through the Exchange servers and run malicious code or propagate malicious code through the Exchange servers. Microsoft patched these vulnerabilities and these were assigned the corresponding CVE in the month of July. To know more about how the Exchange boxes can be compromised and remote shell executed on it, please read the full security document by Orange Tsai on this link. From Orange’s security document, we find the following ProxyShell vulnerabilites:

ProxyShell consists of 3 vulnerabilities:

CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass
CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend
CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE

With ProxyShell, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port!

In response to these security gaps, Microsoft has listed the vulnerabilities as under:

Microsoft Update

Microsoft released patches in the month of April 2021 to fix these remote shell execution vulnerabilities on the Exchange servers. Subsequently, it release a May update that supersedes these three fixes. So, all Microsoft Exchange servers ought to be patched with this May update. The May update was released on May 20, 2021. You can read more about it on the Microsoft document over here.

Which Exchange server builds are affected?

The following Exchange server builds are affected and need to be patched with the May update:

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU19 and CU20
  • Exchange Server 2019 CU8 and CU9