DETECTION OVERVIEW

ProxyShell and ProxyNOTShell Exploits - [Multiple CVEs]

Risk Factors

ProxyShell and ProxyNOTShell are a series of vulnerabilities, which include server-side request forgery (SSRF) and remote code execution (RCE) vulnerabilities. An unauthenticated attacker with network access to an unpatched Microsoft Exchange Server can exploit the SSRF vulnerability, CVE-2021-34473, or an authenticated attacker can exploit the SSRF vulnerability, CVE-2022-41040. By chaining one of these vulnerabilities with RCE vulnerabilities, an attacker can gain control of a device.

Kill Chain

Exploitation

Risk Score

Attack Background

Microsoft Exchange Server has vulnerabilities (CVE-2021-34473 and CVE-2022-41040) in how it validates URIs, enabling server-side request forgery (SSRF). The front-end services of the Exchange server accept client connections and act as a proxy, sending them to the appropriate back-end service. The attacker sends an HTTP request with a specially designed URI to the Autodiscover proxy service, which is routed to a targeted back-end service. As a result, an attacker can access service endpoints and exploit additional vulnerabilities in an attack chain to run code with SYSTEM privileges. The chained vulnerabilities are referred to as ProxyShell and ProxyNOTShell.

Mitigation Options

Implement the mitigation steps in the Microsoft Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
Install relevant patches for affected versions

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases