CVE-2021-26855
ProxyLogon | CVE-2021-26857 | CVE-2021-26858 | CVE-2021-27065
ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default!
As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!
Check if you are running the patched version here
Vulnerable Exchange versions
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Patches for specific Exchange CU versions
You will need to install the latest CU first to be compliant.
| Release date | Product | Impact | Severity | Article | Download | Details |
|---|---|---|---|---|---|---|
| Mar 2, 2021 | Microsoft Exchange Server 2016 Cumulative Update 18 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
| Mar 2, 2021 | Microsoft Exchange Server 2019 Cumulative Update 7 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
| Mar 2, 2021 | Microsoft Exchange Server 2013 Cumulative Update 23 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
| Mar 2, 2021 | Microsoft Exchange Server 2019 Cumulative Update 8 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
| Mar 2, 2021 | Microsoft Exchange Server 2016 Cumulative Update 19 | Remote Code Execution | Critical | 5000871 | Security Update | CVE-2021-26855 |
Scanner
Nmap .NSE file is created by Microsoft and can be found here.
$ nmap -p 443 --script http-vuln-cve2021-26855 10.10.10.15
PORT STATE SERVICE
443/tcp open https
| http-vuln-cve2021-26855:
| VULNERABLE
| Exchange Server SSRF Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2021-26855
|
| Disclosure date: 2021-03-02
| References:
| http://aka.ms/exchangevulns
@args http-vuln-cve2021-26855.method The HTTP method for the request. The default method is "GET".Exploit
TO BE CONTINUED
Remediation / log analysis / detection of already created webshells
Running identification script from Microsoft
https://github.com/microsoft/CSS-Exchange/raw/main/Security/Test-ProxyLogon.ps1
Welcome to the Exchange Management Shell!
[PS] C:\Users\Johndo-adm>.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs
Do you want to run software from this untrusted publisher?
File C:\Users\Johndo-adm\Test-ProxyLogon.ps1 is published by CN=Microsoft Corporation, O=Microsoft Corporation,
L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D"): R
ProxyLogon Status: Exchange Server EXCH01
Nothing suspicious detectedDetection of already created webshells
Detect webshells dropped on Microsoft Exchange servers exploited through “proxylogon” group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
https://github.com/cert-lv/exchange_webshell_detection
Microsoft Safety Scanner (MSERT)
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
URL List
- Proxylogon.com
- Msrc.microsoft.com - Microsoft Exchange Server Remote Code Execution Vulnerability - CVE-2021-26855
- Github.com - Microsoft test scripts
- Docs.microsoft.com - Microsoft Safety Scanner
- Blog.cloudflare.com - Protecting against recently disclosed Microsoft Exchange Server vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- Github.com - Detect webshells dropped on Microsoft Exchange servers after 0day compromises
- Bleepingcomputer.com - This new Microsoft tool checks Exchange Servers for ProxyLogon hacks
- nvd.nist.gov - CVE-2021-26855