This live blog contains information regarding the ProxyRelay vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 21, 2022.
Update October 21, 2022
12:30 | In August 2021, the first three Microsoft Exchange Server vulnerabilities in a series of four were published by Devcore. This week, on the 19th of October 2022, Devcore published a blog on the fourth vulnerability called ProxyRelay. The blog can be found here: https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/
The blog describes four vulnerabilities. Currently, there are no reports on exploitation of ProxyRelay in the wild. However, with the details provided by the blog, it is likely that exploits will be developed.
Microsoft has published security updates for Microsoft Exchange Server 2013, 2016 and 2019 and supported Microsoft Windows products. It is highly recommended to apply these patches during your regular periodic patch cycle.
Available information is currently limited. This blog will be updated as more information becomes available.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
This week, on the 19th of October 2022, Devcore published a blog on the fourth vulnerability called ProxyRelay. The blog can be found here: https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/
The blog describes four vulnerabilities. Currently, there are no reports on exploitation of ProxyRelay in the wild. However, with the details provided by the blog, it is likely that exploits will be developed.
Potential Risk
ProxyRelay consists of multiple vulnerabilities and could better be classified as an attack surface than a single bug. Based on the current insights, it is possible to bypass authentication, access data (like emails) and execute code without user-interaction.
Currently, there are no reports on exploitation of ProxyRelay in the wild and exploitation on short term is not expected. Although, this might change based on the details published in the blog by Devcore.
Detail info
ProxyRelay consist of four vulnerabilities, three of which are currently registered as a CVE:
- CVE-2021-33768 – Relay to Exchange FrontEnd
- CVE-2022-21979 – Relay to Exchange BackEnd
- CVE-2021-26414 – Relay to Exchange DCOM
- CVE-2022-RESERVED – Relay to other services of Exchange
CVE | CVE published | CVE Last modified | CVSS V3 score | EPSS Score | EPSS Percentile |
CVE-2021-26414 | 2021-06-08 | 2022-09-12 | 6.5 | 0.02844 | 0.82629 |
CVE-2021-33768 | 2021-07-14 | 2022-05-03 | 8 | 0.0115 | 0.5942 |
CVE-2022-21979 | 2022-08-09 | 2022-09-22 | 5.7 |
Table 1 – CVE details information on the 19th of October 2022
Based on the current CVSS and EPSS scores, the vulnerabilities on themselves do not seem critical. However, it is the combination of the vulnerabilities and the ProxyRelay attack surface that contains the real threat. That is why Devcore reported the vulnerability in June 2021 to Microsoft and published their blog more than a year later.
Microsoft released security patches as part of the Exchange August 2022 Security Updates for the following versions of Microsoft Exchange Server:
- Microsoft Exchange Server 2013 CU23
- Microsoft Exchange Server 2016 CU22 and CU23
- Microsoft Exchange Server 2019 CU11 and CU12
Additionally, it is advised to apply the Cumulative Security Updates for Microsoft Windows of the Microsoft Exchange Server of at least June 2022.
Although the upgrade of an Exchange Server can be a challenge, it is highly recommended to apply the patches. While there are no reports of Exploitation in the wild, it is likely exploit methods will be developed after publication of ProxyRelay details.
Sources
More information:
- August 2022 Exchange Server Security Updates – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/359386
- ProxyRelay blog by Devcore- https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/
- ProxyShell blog by Devcore – https://devco.re/blog/2021/08/22/a-new-attack-surface-on-MS-exchange-part-3-ProxyShell/
- ProxyOracle blog by Devcore – https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/
- ProxyLogon blog by Devcore – https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/
- Microsoft Advisory CVE-2021-33768 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768
- Microsoft Advisory CVE-2022-21979 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21979
- Microsoft Advisory CVE-2021-26414 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.