ProxyShell vulnerabilities and your Exchange Server
Published Aug 25 2021 10:51 AM 86.3K Views

This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. Exchange Online customers are also protected (but must make sure that all hybrid Exchange servers are updated).

But if you have not installed either of these security updates, then your servers and data are vulnerable. As we have said several times, it is critical to keep your Exchange servers updated with latest available Cumulative Update (CU) and Security Update (SU).

Your Exchange servers are vulnerable if any of the following are true:

  • The server is running an older, unsupported CU (without May 2021 SU);
  • The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or
  • The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.

In all of the above scenarios, you must install one of latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.

Our recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats. Please update now!

The Exchange Team

12 Comments
Copper Contributor

I'm running Exchange 2016 CU19 and have had April/May Exchange SUs installed since they were released.  Am I vulnerable to ProxyShell?   Installing CU21 is a priority for me, but I'm not losing sleep over ProxyShell.  Unless there is an undisclosed vulnerability in CU19?! (I know I am missing July SU)

Brass Contributor

Time to get rid of the hybrid exchange servers without being unsupported in hybrid ad situations Microsoft! 

Microsoft

@jordanl17 You are right; if you have May 2021 SU, you are not vulnerable as far as this particular scenario is concerned. I have modified the wording slightly (while hoping I am not making it too complicated). We recommend that admins install the latest / supported CU + latest SU to address those vulnerabilities but May 2021 SU suffices for this scenario.

Copper Contributor

What if you have a hybrid server that was compromised, but is now patched. Is there any remediation that needs to be done. Back in March the EMOT script was released, is there something similar for this most recent exploit?

Steel Contributor

great article, nice tool

Copper Contributor

I'm running the latest CU and SU on 5 Exchange 2013 servers and got shelled last week. I've also run the EOMT and MSCERT tools on these servers after the Hafnium attacks. The only misconfiguration I found when running the HealthChecker.ps1 script was that it suggested enabling the GCServer for the MSExchangeMAPIFrontEndAppPool. 

Steel Contributor

big f for @mscheidler 

Copper Contributor

I have Exchange 2019 with all the latest updates. Today they break in and run powershell sessions and Lockbit Ransomware.
These security updates don't work!

Microsoft

Folks - just to clarify a few things (after a few last comments):

We are not aware of a scenario where updates are 'not working'. As far as we know, this is not a thing. If you have done analysis of your breached server that clearly shows that your servers were exploited after all relevant updates were installed (and the server was 'clean' of malicious software before updates were installed) - please open a support ticket with us and we will be glad to work with you on it.

We have been really trying to communicate the need to stay up to date; unfortunately, bad actors do not wait for change management so as soon as vulnerabilities are disclosed, the race is on (this is why it is super important to install updates as they become available). Various scenarios could be at play here, for example: web shells are present on a server via previous vulnerability and no action is taken for months even; one bad actor dropped a web shell a while ago and another decided to use it at the later time. Those are just a few examples.

Updating a server removes the vulnerabilities but the server could still have malicious processes running on it. Vulnerability is a path of how malicious software could be deployed on a server. But if such software is already present, patching the vulnerability by itself does not 'clean' the server.

Please stay safe and update quickly!

Copper Contributor

@molislaegers : afaik you are not unsupported if you do not use an Exchange server in hybrid mode. You just have to install one internal for management. So you add changes to AD with Exchange server and AAD Connect does the synchronization to O365/ExO. For this there is no need to do any hybrid configuration. So you do not have to publish your Exchange external.

Copper Contributor

Good day!

Please tell me how to create a support ticket?

Our Exchange Server 2019 was hacked by ProxyShell. How can you find out if there has been a leak of information?

We have completed the installation of the latest update. How do I clean up our Exchange Server properly?

Copper Contributor

In case they failed to emphasize this enough. They are not providing a patch for this for all installations of Exchange 2019. If you have not installed a recent CU, you will not receive the patch, and you will be vulnerable, and likely be attacked.

 

Yeah, it would be nice if Exchange was updated like every other MS product I know of - check for updates, and if none are available, then you are up to date.

 

And the "Cumulative Updates" aren't updates, they are upgrades that require backup and reinstallation of Exchange.

 

So, why in the world would MS take a step backwards and force you to manually reinstall Exchange in order to receive critical security updates?  Why in the world would MS provide patches for this for some CUs for Exhange 2016 and not for all CUs of Exchange 2019?

Co-Authors
Version history
Last update:
‎Aug 26 2021 05:24 AM
Updated by: