Exchange vulnerabilities: Will we see Hafnium II?

Sicherheit (Pexels, allgemeine Nutzung)[German]Are we soon seeing a second hafnium disaster, in which Exchange servers are attacked and taken over via vulnerabilities? At the BlackHat 2021 conference, security researcher Orange Tsai spoke about new vulnerabilities in Microsoft Exchange and, in addition to old (and patched) security issues, and he lso hinted at new attack vector via known and new vulnerabilities. What has been patched so far is only the tip of an iceberg, he hinted. In addition, there are plenty of Exchange servers that are accessible via the Internet but are at a March 2021 patch level. Ingredients that could potentially bring us the next disaster with cyber attacks on Exchange servers.


There is no known 0day vulnerability in Exchange or public exploit. However, German blog reader Stefan S. alerted me last night via a private message on Facebook to a talk by Orange Tsai about vulnerabilities in Microsoft Exchange at the BlackHat 2021 conference. I'll pull together the information I just gathered.

Orange Tsai about Exchange vulnerabilities

DEVCORE is a group of security specialists based in Taiwan who purport to understand hackers. The name DEVCORE will mean something to some readers, as the group was involved in the discovery of the vulnerabilities exploited in the Hafnium hack. Security researcher Orange Tsai of the DEVCORE team gave a talk on Exchange vulnerabilities at BlackHat 2021. The talk title was ProxyLogon is Just the Tip of the Iceberg and the name says it all. The video of the presentation at BlackHat 2021 can be viewed on YouTube.  

(Source: YouTube)

The presentation slides presented in the video have been published here. The security researcher focused on the Exchange architecture with the DEVCORE team and found a new attack surface in Microsoft Exchange Server that has not been considered before. The security researchers focused on the Client Access Service (CAS) of Exchange. Eight vulnerabilities were discovered at once, involving server-side, client-side and crypto vulnerabilities that can be exploited through the following attack chains:

  • ProxyLogon: The well-known pre-auth RCE attack chain (video here)
  • ProxyOracle: An attack chain with clear-text password recovery
  • ProxyShell: The pre-auth RCE chain demonstrated by security researchers at Pwn2Own 2021 (video here)

Browsing through the presentation slides, there is a reference to a new vulnerability without a CVE, discovered on June 2, 2021 by Orange Tsai, which has not been patched yet. In the slides, the security researcher outlines how the above methods can be used for attacks.


(Source: YouTube)

In the video above, Orange Tsai demonstrates how he combined the known attack methods against Exchange for an attack. The security researcher has now started publishing a series of blog posts on these attack surfaces. The following tweet points to the first post A New Attack Surface on MS Exchange Part 1 – ProxyLogon! of Orange Tsai with more details.

A New Attack Surface on Microsoft Exchange

The second article A New Attack Surface on MS Exchange Part 2 – ProxyOracle! is now online as well.

Unpatched Exchange Server are vulnerable

Security researcher Kevin Beaumont points out in the following tweet that an attacker is trying to access /autodiscover/autodiscover.json. The Autodiscover service to has been introduced to provide an easy way for mail client software to auto-configure itself with minimal input from the user (afaik).

Attack on Exchange honeypot

Then the IIS (Internet Information Server) writes files to its Exchange honeypot and executes commands. However, this does not necessarily mean anything, because an unpatched Exchange Server could act as a honeypot.

But what makes me jittery is a second tweet, who lists Microsoft Exchange Server 2016 with patch level March 2021 in a map of Europe. Why this patch status in particular is relevant becomes clear below.

Exchange Server 2016, patch level March 2021

Many parts of Europe (German, Austria and Switzerland) are locating many unpatched Exchange Servers. According to this tweet, the search engine Shodan now also takes into account Exchange servers that are vulnerable via CVE-2021-3107, CVE-2021-34523, CVE-2021-31206, and CVE-2021-344722. After publishing the German edition of this blog post, colleague Lawrence Abrams published this article on Bleeping Computer. There, it is confirmed that Exchange Server is being actively scanned for the NetShell vulnerability and the three vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 . These were closed in April 2021 by KB5001779  and in May 2021 by KB5003435. The disclosure of CVE-2021-34473 and CVE-2021-34523 occurred in July 2021. After Orange Tsai's talk at BlackHat 2021, security researchers PeterJson and Jang published an article with technical information about how they were able to successfully reproduce the ProxyShell exploit. And that brings us full circle. 

What protects?

In his presentation slides, Orange Tsai gives the advice to keep the Exchange Server up to date and not to let it out to the Internet (applies in particular to Web Part). In addition, Microsoft improved the CAS front end in April 2021, Orange Tsai writes. The improvement mitigated the authentication part of this attack surface and effectively reduced "pre-authentication" . Here are the patched for Exchange from April to July 2021.

The down side: Because there are a lot of Exchange Servers running out there that were patched in March 2021, but it wasn't until April 2021 that the vulnerabilities were silently patched. Anyone who administers an Exchange Server should bring it up to the latest patch level and also prevent it from being accessible via the Internet. After that, it is a matter of waiting to see what will be made available for Microsoft Exchange on the August 2021 patch day and what security messages will appear in the future (also here on the blog). 

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Microsoft Defender automatically mitigates CVE-2021-26855 on Exchange Server
Exchange hack news: What's about risk? (April 1, 2021)
PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *