CVE

CVE-2021-26855 - ProxyLogon | CVE-2021-26857 | CVE-2021-26858 | CVE-2021-27065

ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default!

As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!

Check if you are running the patched version here

Vulnerable Exchange versions

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Patches for specific Exchange CU versions

You will need to install the latest CU first to be compliant.

Release date Product Impact Severity Article Download Details
Mar 2, 2021 Microsoft Exchange Server 2016 Cumulative Update 18 Remote Code Execution Critical 5000871 Security Update CVE-2021-26855
Mar 2, 2021 Microsoft Exchange Server 2019 Cumulative Update 7 Remote Code Execution Critical 5000871 Security Update CVE-2021-26855
Mar 2, 2021 Microsoft Exchange Server 2013 Cumulative Update 23 Remote Code Execution Critical 5000871 Security Update CVE-2021-26855
Mar 2, 2021 Microsoft Exchange Server 2019 Cumulative Update 8 Remote Code Execution Critical 5000871 Security Update CVE-2021-26855
Mar 2, 2021 Microsoft Exchange Server 2016 Cumulative Update 19 Remote Code Execution Critical 5000871 Security Update CVE-2021-26855

Scanner

Nmap .NSE file is created by Microsoft and can be found here.

$ nmap -p 443 --script http-vuln-cve2021-26855 10.10.10.15

PORT    STATE SERVICE
443/tcp  open  https
| http-vuln-cve2021-26855:
|   VULNERABLE
|   Exchange Server SSRF Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2021-26855
|
|     Disclosure date: 2021-03-02
|     References:
|       http://aka.ms/exchangevulns

@args http-vuln-cve2021-26855.method The HTTP method for the request. The default method is "GET".

Exploit

TO BE CONTINUED

Remediation / log analysis / detection of already created webshells

Running identification script from Microsoft

https://github.com/microsoft/CSS-Exchange/raw/main/Security/Test-ProxyLogon.ps1

Welcome to the Exchange Management Shell!

[PS] C:\Users\Johndo-adm>.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

Do you want to run software from this untrusted publisher?
File C:\Users\Johndo-adm\Test-ProxyLogon.ps1 is published by CN=Microsoft Corporation, O=Microsoft Corporation,
 L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers.
[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"): R
ProxyLogon Status: Exchange Server EXCH01
  
  Nothing suspicious detected

Detection of already created webshells

Detect webshells dropped on Microsoft Exchange servers exploited through “proxylogon” group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)

https://github.com/cert-lv/exchange_webshell_detection

Microsoft Safety Scanner (MSERT)

Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.

URL list