Background
On August 30, 2021, Trend Micro’s Zero Day Initiative (ZDI) published a technical blog on CVE-2021-33766, a new vulnerability in Exchange also known as ProxyToken. A threat actor can exploit ProxyToken to bypass authentication on an Exchange Server to make configuration changes, including redirecting e-mails to an account under their control.
ProxyToken was responsibly disclosed to Microsoft in March 2021 by ZDI and patched on April 13, 2021, Exchange security updates. Customers who have applied this patch or later releases are protected against ProxyToken.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-33766 |
7.5 |
High |
Improper Authentication |
Microsoft Exchange Servers contain an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target. |
CVE-2021-26855 |
9.8 |
Critical |
Remote Code Execution |
Microsoft OWA Exchange Control Panel (ECP) Exploit Chain |
CVE-2021-26857 |
7.8 |
High |
Remote Code Execution |
Microsoft Unified Messaging Deserialization Vulnerability |
CVE-2021-26858 |
7.8 |
High |
Remote Code Execution |
Microsoft OWA Exchange Control Panel (ECP) Exploit Chain |
CVE-2021-27065 |
7.8 |
High |
Remote Code Execution |
Microsoft OWA Exchange Control Panel (ECP) Exploit Chain |
CVE-2021-31196 |
7.2 |
High |
Remote Code Execution |
Microsoft Exchange Server Vulnerability |
CVE-2021-31206 |
8.0 |
High |
Remote Code Execution |
Microsoft Exchange Server Vulnerability |
CVE-2021-31207 |
7.2 |
High |
Security Feature Bypass |
Microsoft Exchange Server Security Feature Bypass Vulnerability |
CVE-2021-33768 |
8.0 |
High |
Privilege Escalation |
Microsoft Exchange Server Elevation of Privilege Vulnerability |
CVE-2021-34473 |
9.8 |
Critical |
Remote Code Execution |
Microsoft Exchange Server Vulnerability |
CVE-2021-34523 |
9.8 |
Critical |
Privilege Escalation |
Microsoft Exchange Server Elevation of Privilege Vulnerability |
Analysis, Solutions and Recommendations
Going into Labour Day long weekend, the FBI has warned that Ransomware groups are more likely to strike against their targets when they believe IT and Security staff are away on vacation. The industry saw this happen many times this year, including over Memorial Day weekend (JBS Foods hit by REvil), Mother’s Day weekend (Colonial Pipeline hit by DarkSide), and July Fourth weekend (Kaseya VSA REvil Campaign).
With Exchange being increasingly targeted in Ransomware attacks, we strongly recommend ensuring all Exchange is up to date on patches going into this weekend.
This section provides details on the recommendations that Arctic Wolf suggests to mitigate Exchange vulnerabilities and increase visibility on Exchange Servers.
A full listing of Microsoft Exchange build numbers.
Vulnerability Name | CVE(s) | Patched build number(s) | Description |
ProxyLogon | CVE-2021-26855 |
|
|
ProxyShell | CVE-2021-34473
|
|
|
ProxyShell | CVE-2021-31207 |
|
|
ProxyToken | CVE-2021-33766 |
|
|
No specific vulnerability name given to these. | CVE-2021-31196 |
|
|
References
- Trend Micro’s Technical Blog post
- ZDI Report on ProxyToken
- July 13,2021 Microsoft Exchange Updates
- May 11,2021 Microsoft Exchange Updates
- April 13,2021 Microsoft Exchange Updates
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.