What is ProxyLogon?
ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default!
As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!
- March 12, 2021 - timeline updated
DEVCORE has observed global enterprises and organizations highly relied on the Microsoft ecosystem for their daily business operation. Among all its services, Microsoft Exchange has a massive number of users worldwide. With that being said, if a real hacker attack was initiated, it will cause the leakage of sensitive data from its users and pose significant losses for those enterprises. With extensive research experience on Mail Solution, including Dovecot and Exim, DEVCORE focused on Microsoft Exchange Server's research, hoping to strengthen cybersecurity awareness among global enterprises and prevent potential attack and loss.
DEVCORE operates a professional and exceptional self-disciplined team that pursues high moral standards. For the past decade, after finding the vulnerabilities, DEVCORE follows the procedure of responsible disclosure and never discloses technical details before the enterprises release the patch and security update. Since the founding of DEVCORE, we have disclosed RCE vulnerabilities from Amazon, Facebook, Twitter, GitHub and Uber. Furthermore, DEVCORE has found SSL VPN vulnerabilities from Palo Alto, Fortinet, and Pulse Secure.
For more information of ProxyLogon, please refer to the following timeline.
Questions & Answers
Why it is called the ProxyLogon? Is it related to ZeroLogon?
No, totally unrelated. We call it ProxyLogon because this bug exploits against the Exchange Proxy Architecture and Logon mechanism.
What makes the ProxyLogon bug unique?
As the most well-known mail server for enterprises, Microsoft Exchange has been the holy grail for attackers for a long time. Since the last pre-authenticated RCE (Remote Code Execution) is the EnglishmansDentist from NSA Equation Group and it only works on a 16-year-old, ancient enough Exchange Server 2003. Why isn't ProxyLogon unique?
Is ProxyLogon really serious enough to deserve a name, logo and website?
In 2019, we published a research about RCE on several leading SSL VPN vendors. Although these RCEs got lots of media exposures and alerted by US-CERT, GCHQ and even NSA, they are still being exploited by bad actors, botnets and APT groups until 2021 :(
As the Exchange bugs are more severe than SSL VPN ones and our purpose is to raise people's security awareness, we did this ProxyLogon project!
Where to find more information?
We will publish the technique paper in the future.
What versions of Exchange Server are affected?
Since the bug is due to a significant change of Client Access Service architecture on Exchange Server 2013 and the older version Exchange Server 2010 was End-of-Support on October 2020. All mainstream support Exchange Server are vulnerable!The exact vulnerable version table:
- Exchange Server 2019 < 15.02.0792.010
- Exchange Server 2019 < 15.02.0721.013
- Exchange Server 2016 < 15.01.2106.013
- Exchange Server 2013 < 15.00.1497.012
How can I mitigate this bug?
Microsoft has released Security Update to fix this vulnerability on March 03, 2021. Please update your Exchange Server ASAP!
Is this a memory corruption bug?
Unlike the EnglishmansDentist, ProxyLogon is all about logic bugs on the web. That means the exploit is reliable and easy to reproduce by bad actors.
Can I use the logo?
Who found the ProxyLogon Bug?
Vulnerability Disclosure Timeline
October 01, 2020 DEVCORE started reviewing the security on Microsoft Exchange Server December 10, 2020 DEVCORE discovered the first pre-auth proxy bug (CVE-2021-26855) December 27, 2020 DEVCORE escalated the first bug to an authentication bypass to become admin December 30, 2020 DEVCORE discovered the second post-auth arbitrary-file-write bug (CVE-2021-27065) December 31, 2020 DEVCORE chained all bugs together to a workable pre-auth RCE exploit January 05, 2021 DEVCORE sent (18:41 GMT+8) the advisory and exploit to Microsoft through the MSRC portal directly January 06, 2021 MSRC acknowledged the pre-auth proxy bug (MSRC case 62899) January 06, 2021 MSRC acknowledged the post-auth arbitrary-file-write bug (MSRC case 63835) January 08, 2021 MSRC confirmed the reported behavior January 11, 2021 DEVCORE attached a 120-days public disclosure deadline to MSRC and checked for bug collision January 12, 2021 MSRC flagged the intended deadline and confirmed no collision at that time February 02, 2021 DEVCORE checked for the update February 02, 2021 MSRC replied "they are splitting up different aspects for review individually and got at least one fix which should meet our deadline" February 12, 2021 MSRC asked the title for acknowledgements and whether we will publish a blog February 13, 2021 DEVCORE confirmed to publish a blog and said will postpone the technique details for two weeks, and will publish an easy-to-understand advisory (without technique details) instead February 18, 2021 DEVCORE provided the advisory draft to MSRC and asked for the patch date February 18, 2021 MSRC pointed out a minor typo in our draft and confirmed the patch date is 3/9 February 27, 2021 MSRC said they are almost set for release and wanted to ask if we're fine with being mentioned in their advisory February 28, 2021 DEVCORE agreed to be mentioned in their advisory March 03, 2021 MSRC said they are likely going to be pushing out their blog earlier than expected and won’t have time to do an overview of the blog March 03, 2021 MSRC published the patch and advisory and acknowledged DEVCORE officially March 03, 2021 DEVCORE has launched an initial investigation after informed of active exploitation advisory from Volexity March 04, 2021 DEVCORE has confirmed the in-the-wild exploit was the same one reported to MSRC March 05, 2021 DEVCORE hasn't found concern in the investigation March 08, 2021 As more cybersecurity companies have found the signs of intrusion at Microsoft Exchange Server from their client environment, DEVCORE later learned that HAFNIUM was using ProxyLogon exploit during the attack in late February from Unit 42, Rapid 7, and CrowdStrike.