The Zero-Day Exploits In Microsoft Exchange Server - ProxyLogon

March 22, 2021

Hsinchu, Taiwan – Mar 22, 2021 – According to the investigation report of ESET, the so-called "ProxyLogon" vulnerability of Microsoft Exchange Server is used by several cyber-criminal teams to deploy large scale attack. This vulnerability is a zero-day exploit. That means anyone who know this exploit can develop attacking program before the vendor provides the patches. It is usually taking a vendor three months to fix bug, test and distribute patches.

Unfortunately, the cyber-criminal somehow knows this exploit and attacks before Microsoft finished the fixing. Although Microsoft tries their best to distribute patches finally, it is still too late. There are more than 5000 servers in 115 countries is injected the malicious "HAFNIUM web shell" or other malware as the date of Mar 10, 2021.

The Lionic security research team immediately studies this ProxyLogon vulnerability of Microsoft Exchange Server. They built the same network environment and designed the IPS (Intrusion Prevention System) rules soon. Those IPS rules are then distributed to all customers via Lionic's SCS (Security Cloud Service), the signature updating mechanism.

The CVE related to this vulnerability are -

  • CVE-2021-26855 - Attacker used malicious HTTP Cookie to create a SSRF (server-side request forgery). It skipped user authentication and issue fake HTTP request. This is the first step of an attack chain.

  • CVE-2021-26857 - There exists an insecure deserialization vulnerability in the Unified Messaging service. Attacker can exploit this vulnerability to run malicious code as the SYSTEM on the Exchange server.

  • CVE-2021-26858, CVE-2021-27065 - By using these vulnerability, Attacker can inject malicious files after user authentication.

The affected versions of Exchange Server are -

  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Currently the IPS rules Id 8100560, 8100561 and 8100565 inside the Lionic IPS signature database are proven to block the "ProxyLogon" successfully. Meanwhile, Lionic exchanges information with other security research teams in the world and try to design more IPS rules if necessary.

It takes times to upgrade the Microsoft exchange server to the latest version. We suggest users to install a Pico-UTM 100, the security network bridge device made by Lionic, in front of every important server. Then users will have enough time to upgrade the server even if whatever vulnerability is newly found. Welcome to understand what the security features Lionic can provide and let us to create a safe network environment for you.

 

 

 

About Lionic Corporation

Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.

Lionic's security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.