ProxyRelay vulnerability
This live blog contains information regarding the ProxyRelay vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 21, 2022.
T-Update
This live blog contains information regarding the ProxyRelay vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 21, 2022.
Update October 21, 2022
12:30 | In August 2021, the first three Microsoft Exchange Server vulnerabilities in a series of four were published by Devcore. This week, on the 19th of October 2022, Devcore published a blog on the fourth vulnerability called ProxyRelay. The blog can be found here: https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/
The blog describes four vulnerabilities. Currently, there are no reports on exploitation of ProxyRelay in the wild. However, with the details provided by the blog, it is likely that exploits will be developed.
Microsoft has published security updates for Microsoft Exchange Server 2013, 2016 and 2019 and supported Microsoft Windows products. It is highly recommended to apply these patches during your regular periodic patch cycle.
Available information is currently limited. This blog will be updated as more information becomes available.
Background
This week, on the 19th of October 2022, Devcore published a blog on the fourth vulnerability called ProxyRelay. The blog can be found here: https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/ The blog describes four vulnerabilities. Currently, there are no reports on exploitation of ProxyRelay in the wild. However, with the details provided by the blog, it is likely that exploits will be developed.
Risk
ProxyRelay consists of multiple vulnerabilities and could better be classified as an attack surface than a single bug. Based on the current insights, it is possible to bypass authentication, access data (like emails) and execute code without user-interaction.
Currently, there are no reports on exploitation of ProxyRelay in the wild and exploitation on short term is not expected. Although, this might change based on the details published in the blog by Devcore.
Advice
ProxyRelay consist of four vulnerabilities, three of which are currently registered as a CVE:
- CVE-2021-33768 – Relay to Exchange FrontEnd
- CVE-2022-21979 – Relay to Exchange BackEnd
- CVE-2021-26414 – Relay to Exchange DCOM
- CVE-2022-RESERVED – Relay to other services of Exchange
Sources
More information:
- August 2022 Exchange Server Security Updates – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/359386
- ProxyRelay blog van Devcore- https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/
- ProxyShell blog van Devcore – https://devco.re/blog/2021/08/22/a-new-attack-surface-on-MS-exchange-part-3-ProxyShell/
- ProxyOracle blog van Devcore – https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/
- ProxyLogon blog van Devcore – https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/
- Microsoft Advisory CVE-2021-33768 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768
- Microsoft Advisory CVE-2022-21979 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21979
- Microsoft Advisory CVE-2021-26414 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
