ProxyShell vulnerabilities and your Exchange Server

Published Aug 25 2021 10:51 AM 49.4K Views

This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities. Exchange Online customers are also protected (but must make sure that all hybrid Exchange servers are updated).

But if you have not installed either of these security updates, then your servers and data are vulnerable. As we have said several times, it is critical to keep your Exchange servers updated with latest available Cumulative Update (CU) and Security Update (SU).

Your Exchange servers are vulnerable if any of the following are true:

  • The server is running an older, unsupported CU (without May 2021 SU);
  • The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or
  • The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.

In all of the above scenarios, you must install one of latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.

Our recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats. Please update now!

The Exchange Team

12 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2686285%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2686285%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20running%20Exchange%202016%20CU19%20and%20have%20had%20April%2FMay%20Exchange%20SUs%20installed%20since%20they%20were%20released.%26nbsp%3B%20Am%20I%20vulnerable%20to%20ProxyShell%3F%26nbsp%3B%20%26nbsp%3BInstalling%20CU21%20is%20a%20priority%20for%20me%2C%20but%20I'm%20not%20losing%20sleep%20over%20ProxyShell.%26nbsp%3B%20Unless%20there%20is%20an%20undisclosed%20vulnerability%20in%20CU19%3F!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2686402%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2686402%22%20slang%3D%22en-US%22%3E%3CP%3ETime%20to%20get%20rid%20of%20the%20hybrid%20exchange%20servers%20without%20being%20unsupported%20in%20hybrid%20ad%20situations%20Microsoft!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2684705%22%20slang%3D%22en-US%22%3EProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2684705%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20past%20week%2C%20security%20researchers%20discussed%20several%20ProxyShell%20vulnerabilities%2C%20including%20those%20which%20might%20be%20exploited%20on%20unpatched%20Exchange%20servers%20to%20deploy%20ransomware%20or%20conduct%20other%20post-exploitation%20activities.%20If%20you%20have%20installed%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-may-2021-exchange-server-security-updates%2Fba-p%2F2335209%22%20target%3D%22_blank%22%3EMay%202021%20security%20updates%3C%2FA%3E%20or%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-july-2021-exchange-server-security-updates%2Fba-p%2F2523421%22%20target%3D%22_blank%22%3EJuly%202021%20security%20updates%3C%2FA%3E%20on%20your%20Exchange%20servers%2C%20then%20you%20are%20protected%20from%20these%20vulnerabilities.%20Exchange%20Online%20customers%20are%20also%20protected%20(but%20must%20make%20sure%20that%20all%20hybrid%20Exchange%20servers%20are%20updated).%3C%2FP%3E%0A%3CP%3EBut%20if%20you%20have%20not%20installed%20either%20of%20these%20security%20updates%2C%20then%20your%20servers%20and%20data%20are%20vulnerable.%20As%20we%20have%20said%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fwhy-exchange-server-updates-matter%2Fba-p%2F2280770%22%20target%3D%22_blank%22%3Eseveral%20times%3C%2FA%3E%2C%20it%20is%20%3CEM%3Ecritical%3C%2FEM%3E%20to%20keep%20your%20Exchange%20servers%20updated%20with%20latest%20available%20Cumulative%20Update%20(CU)%20and%20Security%20Update%20(SU).%3C%2FP%3E%0A%3CP%3E%3CU%3EYour%20Exchange%20servers%20are%20vulnerable%20if%20any%20of%20the%20following%20are%20true%3C%2FU%3E%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20server%20is%20running%20an%20older%2C%20unsupported%20CU%20(without%20May%202021%20SU)%3B%3C%2FLI%3E%0A%3CLI%3EThe%20server%20is%20running%20security%20updates%20for%20older%2C%20unsupported%20versions%20of%20Exchange%20that%20were%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2021-exchange-server-security-updates-for-older-cumulative%2Fba-p%2F2192020%22%20target%3D%22_blank%22%3Ereleased%3C%2FA%3E%20in%20March%202021%3B%20or%3C%2FLI%3E%0A%3CLI%3EThe%20server%20is%20running%20an%20older%2C%20unsupported%20CU%2C%20with%20the%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F15%2Fone-click-microsoft-exchange-on-premises-mitigation-tool-march-2021%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMarch%202021%20EOMT%3C%2FA%3E%20mitigations%20applied.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20all%20of%20the%20above%20scenarios%2C%20you%20%3CEM%3Emust%3C%2FEM%3E%20install%20one%20of%20latest%20supported%20CUs%20and%20all%20applicable%20SUs%20to%20be%20protected.%20Any%20Exchange%20servers%20that%20are%20not%20on%20a%20supported%20CU%20%3CEM%3Eand%3C%2FEM%3E%20the%20latest%20available%20SU%20are%20vulnerable%20to%20ProxyShell%20and%20other%20attacks%20that%20leverage%20older%20vulnerabilities.%3C%2FP%3E%0A%3CP%3EOur%20recommendation%2C%20as%20always%2C%20is%20to%20install%20the%20latest%20CU%20and%20SU%20on%20all%20your%20Exchange%20servers%20to%20ensure%20that%20you%20are%20protected%20against%20the%20latest%20threats.%20Please%20update%20now!%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2684705%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20have%20installed%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-may-2021-exchange-server-security-updates%2Fba-p%2F2335209%22%20target%3D%22_blank%22%3EMay%202021%20security%20updates%3C%2FA%3E%20or%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-july-2021-exchange-server-security-updates%2Fba-p%2F2523421%22%20target%3D%22_blank%22%3EJuly%202021%20security%20updates%3C%2FA%3E%20on%20your%20Exchange%20servers%2C%20then%20you%20are%20protected%20from%20these%20vulnerabilities.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2684705%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%202013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202019%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20premises%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2687739%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2687739%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F420225%22%20target%3D%22_blank%22%3E%40jordanl17%3C%2FA%3E%26nbsp%3BYou%20are%20right%3B%20if%20you%20have%20May%202021%20SU%2C%20you%20are%20not%20vulnerable%20as%20far%20as%20this%20particular%20scenario%20is%20concerned.%20I%20have%20modified%20the%20wording%20slightly%20(while%20hoping%20I%20am%20not%20making%20it%20too%20complicated).%20We%20recommend%20that%20admins%20install%20the%20latest%20%2F%20supported%20CU%20%2B%20latest%20SU%20to%20address%20those%20vulnerabilities%20but%20May%202021%20SU%20suffices%20for%20this%20scenario.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2690407%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2690407%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20if%20you%20have%20a%20hybrid%20server%20that%20was%20compromised%2C%20but%20is%20now%20patched.%20Is%20there%20any%20remediation%20that%20needs%20to%20be%20done.%20Back%20in%20March%20the%20EMOT%20script%20was%20released%2C%20is%20there%20something%20similar%20for%20this%20most%20recent%20exploit%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2698786%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2698786%22%20slang%3D%22en-US%22%3E%3CP%3Egreat%20article%2C%20nice%20tool%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2700141%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2700141%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20running%20the%20latest%20CU%20and%20SU%20on%205%20Exchange%202013%20servers%20and%20got%20shelled%20last%20week.%20I've%20also%20run%20the%20EOMT%20and%20MSCERT%20tools%20on%20these%20servers%20after%20the%20Hafnium%20attacks.%20The%20only%20misconfiguration%20I%20found%20when%20running%20the%20HealthChecker.ps1%20script%20was%20that%20it%20suggested%20enabling%20the%20GCServer%20for%20the%20MSExchangeMAPIFrontEndAppPool.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2706931%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2706931%22%20slang%3D%22en-US%22%3E%3CP%3Ebig%20f%20for%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1141712%22%20target%3D%22_blank%22%3E%40mscheidler%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2724967%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2724967%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20Exchange%202019%20with%20all%20the%20latest%20updates.%20Today%20they%20break%20in%20and%20run%20powershell%20sessions%20and%20Lockbit%20Ransomware.%3CBR%20%2F%3EThese%20security%20updates%20don't%20work!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2725920%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2725920%22%20slang%3D%22en-US%22%3E%3CP%3EFolks%20-%20just%20to%20clarify%20a%20few%20things%20(after%20a%20few%20last%20comments)%3A%3C%2FP%3E%0A%3CP%3EWe%20are%20not%20aware%20of%20a%20scenario%20where%20updates%20are%20'not%20working'.%20As%20far%20as%20we%20know%2C%20this%20is%20not%20a%20thing.%20If%20you%20have%20done%20analysis%20of%20your%20breached%20server%20that%20clearly%20shows%20that%20your%20servers%20were%20exploited%20after%20all%20relevant%20updates%20were%20installed%20(and%20the%20server%20was%20'clean'%20of%20malicious%20software%20%3CEM%3Ebefore%3C%2FEM%3E%20updates%20were%20installed)%20-%20please%20open%20a%20support%20ticket%20with%20us%20and%20we%20will%20be%20glad%20to%20work%20with%20you%20on%20it.%3C%2FP%3E%0A%3CP%3EWe%20have%20been%20really%20trying%20to%20communicate%20the%20need%20to%20stay%20up%20to%20date%3B%20unfortunately%2C%20bad%20actors%20do%20not%20wait%20for%20change%20management%20so%20as%20soon%20as%20vulnerabilities%20are%20disclosed%2C%20the%20race%20is%20on%20(this%20is%20why%20it%20is%20super%20important%20to%20install%20updates%20as%20they%20become%20available).%20Various%20scenarios%20could%20be%20at%20play%20here%2C%20for%20example%3A%20web%20shells%20are%20present%20on%20a%20server%20via%20previous%20vulnerability%20and%20no%20action%20is%20taken%20for%20months%20even%3B%20one%20bad%20actor%20dropped%20a%20web%20shell%20a%20while%20ago%20and%20another%20decided%20to%20use%20it%20at%20the%20later%20time.%20Those%20are%20just%20a%20few%20examples.%3C%2FP%3E%0A%3CP%3EUpdating%20a%20server%20removes%20the%20vulnerabilities%20but%20the%20server%20could%20still%20have%20malicious%20processes%20running%20on%20it.%20Vulnerability%20is%20a%20path%20of%20how%20malicious%20software%20could%20be%20deployed%20on%20a%20server.%20But%20if%20such%20software%20is%20already%20present%2C%20patching%20the%20vulnerability%20by%20itself%20does%20not%20'clean'%20the%20server.%3C%2FP%3E%0A%3CP%3EPlease%20stay%20safe%20and%20update%20quickly!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2727478%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2727478%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572941%22%20target%3D%22_blank%22%3E%40molislaegers%3C%2FA%3E%26nbsp%3B%3A%20afaik%20you%20are%20not%20unsupported%20if%20you%20do%20not%20use%20an%20Exchange%20server%20in%20hybrid%20mode.%20You%20just%20have%20to%20install%20one%20internal%20for%20management.%20So%20you%20add%20changes%20to%20AD%20with%20Exchange%20server%20and%20AAD%20Connect%20does%20the%20synchronization%20to%20O365%2FExO.%20For%20this%20there%20is%20no%20need%20to%20do%20any%20hybrid%20configuration.%20So%20you%20do%20not%20have%20to%20publish%20your%20Exchange%20external.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2736904%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2736904%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20day!%3C%2FP%3E%3CP%3EPlease%20tell%20me%20how%20to%20create%20a%20support%20ticket%3F%3C%2FP%3E%3CP%3EOur%20Exchange%20Server%202019%20was%20hacked%20by%20ProxyShell.%20How%20can%20you%20find%20out%20if%20there%20has%20been%20a%20leak%20of%20information%3F%3C%2FP%3E%3CP%3EWe%20have%20completed%20the%20installation%20of%20the%20latest%20update.%20How%20do%20I%20clean%20up%20our%20Exchange%20Server%20properly%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2743398%22%20slang%3D%22en-US%22%3ERe%3A%20ProxyShell%20vulnerabilities%20and%20your%20Exchange%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2743398%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20case%20they%20failed%20to%20emphasize%20this%20enough.%26nbsp%3B%3CEM%3E%3CSTRONG%3EThey%20are%20not%20providing%20a%20patch%20for%20this%20for%20all%20installations%20of%20Exchange%202019.%26nbsp%3B%3C%2FSTRONG%3E%3C%2FEM%3EIf%20you%20have%20not%20installed%20a%20recent%20CU%2C%20you%20will%20not%20receive%20the%20patch%2C%20and%20you%20will%20be%20vulnerable%2C%20and%20likely%20be%20attacked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYeah%2C%20it%20would%20be%20nice%20if%20Exchange%20was%20updated%20like%20every%20other%20MS%20product%20I%20know%20of%20-%20check%20for%20updates%2C%20and%20if%20none%20are%20available%2C%20then%20you%20are%20up%20to%20date.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20the%20%22Cumulative%20Updates%22%20aren't%20updates%2C%20they%20are%20upgrades%20that%20require%20backup%20and%20reinstallation%20of%20Exchange.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20why%20in%20the%20world%20would%20MS%20take%20a%20step%20backwards%20and%20force%20you%20to%20manually%20reinstall%20Exchange%20in%20order%20to%20receive%20critical%20security%20updates%3F%26nbsp%3B%20Why%20in%20the%20world%20would%20MS%20provide%20patches%20for%20this%20for%20some%20CUs%20for%20Exhange%202016%20and%20not%20for%20all%20CUs%20of%20Exchange%202019%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 26 2021 05:24 AM
Updated by:
www.000webhost.com