ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default!
As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!
Check if you are running the patched version here
You will need to install the latest CU first to be compliant.
Release date | Product | Impact | Severity | Article | Download | Details |
---|---|---|---|---|---|---|
Mar 2, 2021 | Microsoft Exchange Server 2016 Cumulative Update 18 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
Mar 2, 2021 | Microsoft Exchange Server 2019 Cumulative Update 7 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
Mar 2, 2021 | Microsoft Exchange Server 2013 Cumulative Update 23 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
Mar 2, 2021 | Microsoft Exchange Server 2019 Cumulative Update 8 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
Mar 2, 2021 | Microsoft Exchange Server 2016 Cumulative Update 19 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
Nmap .NSE file is created by Microsoft and can be found here.
$ nmap -p 443 --script http-vuln-cve2021-26855 10.10.10.15
PORT STATE SERVICE
443/tcp open https
| http-vuln-cve2021-26855:
| VULNERABLE
| Exchange Server SSRF Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2021-26855
|
| Disclosure date: 2021-03-02
| References:
| http://aka.ms/exchangevulns
@args http-vuln-cve2021-26855.method The HTTP method for the request. The default method is "GET".
TO BE CONTINUED
https://github.com/microsoft/CSS-Exchange/raw/main/Security/Test-ProxyLogon.ps1
Welcome to the Exchange Management Shell!
[PS] C:\Users\Johndo-adm>.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs
Do you want to run software from this untrusted publisher?
File C:\Users\Johndo-adm\Test-ProxyLogon.ps1 is published by CN=Microsoft Corporation, O=Microsoft Corporation,
L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D"): R
ProxyLogon Status: Exchange Server EXCH01
Nothing suspicious detected
Detect webshells dropped on Microsoft Exchange servers exploited through “proxylogon” group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
https://github.com/cert-lv/exchange_webshell_detection
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.