Governance & Risk Management , Patch Management

Microsoft Issues Security Advisory on ProxyShell Flaws

Alert Urges Organizations to Patch as Vulnerabilities Are Exploited
Microsoft Issues Security Advisory on ProxyShell Flaws

Four months after Microsoft released the first security update for three vulnerabilities in several versions of its on-premises Exchange Server software - collectively called ProxyShell - the company has issued its first official guidance on the actively exploited flaws on Wednesday.

See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB

"If you have not installed either of these security updates, then your servers and data are vulnerable. As we have said several times, it is critical to keep your Exchange servers updated with the latest available cumulative update and security update," the Microsoft Exchange Team says.

Microsoft has issued a series of bulletins and security updates since the first patches for the three Exchange Server vulnerabilities, but in this week's statement, the company advised all organizations running the software to immediately install patches if they have not already done so.

The ProxyShell vulnerabilities in Exchange Server 2013, 2016 and 2019 are:

Microsoft's warning comes five days after the Cybersecurity and Infrastructure Security Agency issued a statement warning that attackers were actively exploiting the ProxyShell vulnerabilities.

Microsoft's Warning

Microsoft says organizations that have implemented the ProxyShell patches that the company pushed out in May and July are protected.

Exchange servers, however, are vulnerable if: they are running an older, unsupported cumulative update without the May security update; they are running security updates for older, unsupported versions of Exchange that were released in March; or they are running an older, unsupported cumulative update with the March 2021 Exchange on-premises mitigation tool applied.

"In all of the above scenarios, you must install one of the latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities," Microsoft's Exchange team says.

Flaws Discovery

The ProxyShell vulnerabilities were discovered by Devcore security researcher Cheng-Da Tsai - also known as Orange Tsai - who demonstrated an exploit at the Pwn2Own contest in April. Earlier, Orange Tsai had uncovered the ProxyLogon and ProxyOracle flaws in Exchange servers.

The ProxyLogon vulnerabilities in Exchange prompted alerts in March and April from CISA. Those flaws affected on-premises versions of the email servers that are primarily used by smaller businesses and local government agencies. In July, the Biden administration attributed some of the initial attacks exploiting ProxyLogon to China's Ministry of State Security, aka MSS (see: Can the US Curb China's Cyber Ambitions?).

The ProxyShell vulnerabilities were called "worse than Proxylogon" by Kevin Beaumont , head of the security operations center for London-based fashion retail giant Arcadia Group, who noted that his honeypots had started to see increased activity from certain malicious IP addresses.

"These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March. They are more exploitable, and organizations largely haven't patched," Beaumont says.

Meanwhile, Symantec researchers warned in a report that a recently discovered ransomware gang called LockFile appears to have exploited the ProxyShell flaws to launch attacks.

Symantec estimates that LockFile has targeted at least 10 organizations in the U.S. and Asia, although it's not clear if all of these incidents involved ProxyShell exploits.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.