ProxyShell can be exploited to achieve a Remote Code Execution without needing to know any usernames or passwords for the targeted Exchange Server – security vulnerabilities do not come any worse than this. ProxyShell is easier to exploit than the ProxyLogon attacks that hit the headlines earlier this year, prompting CISA to issue their first ever urgent alert advising admins to check and patch their Exchange Servers.
According to the researcher who discovered the vulnerabilities:
With ProxyShell, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port!
~ Orange Tsai from DEVCORE Research Team
- CVE-2021-34473 – Pre-authentication access control bypass (Patched in April by KB5001779)
- CVE-2021-34523 – Elevation of privilege through Exchange PowerShell (Patched in April by KB5001779)
- CVE-2021-31207 – Post-authentication Remote Code Execution (Patched in May by KB5003435)
Although patches were released for the three ProxyShell vulnerabilities in April, CVE were not published until July which may have delayed them coming to the attention of security managers. Attention was drawn to these vulnerabilities when they were featured in a talk at the Black Hat security conference at the start of August and attacks have been increasing since then with some systems being installed with multiple web shells from different threat actors.
Security Firm Huntress reviewed 1900 vulnerable servers and found over 140 different web shells installed on those systems by exploiting ProxyShell.
How to Mitigate ProxyShell
If you haven’t done so already, install the patches from Microsoft that fix these vulnerabilities first of all in order to stop any chance of exploitation.
Regardless of when you installed the patches to disable ProxyShell – if a web shell was installed before you patched, threat actors may retain persistent access to your server. Web Shell activity usually turns up in the w3wp.exe (IIS) process which Microsoft advises to exclude from your anti-malware configurations. If you have followed this advice, you may want to include the IIS folders back into the scanning regime of your anti-malware software in order to identify web shell scripts installed on your server.
The NSA also offers advice on how to detect and remove Web Shells.