Following the release of details last week about three vulnerabilities in Microsoft Exchange, attackers have begun scanning for vulnerable servers, and there are tens of thousands of them online.
The vulnerabilities were discovered by researcher Orange Tsai, who used them in the Pwn2Own contest earlier this year. They were then disclosed to MIcrosoft, which patched them in April, although the bugs were not included in the advisories released tha month and weren’t published until July. The flaws can be chained together in order to gain remote code execution on target servers, and other researchers have been able to reproduce the exploit that Tsai developed. During the Black Hat USA conference last week, Tsai gave a talk in which he detailed the flaws, which seems to have kicked off a wave of scanning for the vulnerabilities by attackers.
On Monday, Jan Kopriva of the SANS Internet Storm Center found more than 30,000 vulnerable Exchange servers online with a Shodan scan, more than 8,000 of which are in the United States. The vulnerabilities affect Exchange Server 2013, 2016, and 2019.
“Since the attack is not dependent on any memory corruption issues, but only on logic bugs in Exchange components, one can expect that most threat actors ‘worthy’ of that title would not have much difficulties in successfully executing it, given the aforementioned availability of information about it,” Kopriva wrote.
The three vulnerabilities, known collectively as ProxyShell, include a security feature bypass (CVE-2021-31207), an elevation of privilege (CVE-2021-34523), and a remote code execution bug (CVE-2021-34473), and Microsoft released patches for all three in April. Organizations that have stayed current on Exchange updates are protected against the exploits on these flaws.