Vulnerability

ProxyRelay vulnerability

This live blog contains information regarding the ProxyRelay vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 21, 2022.

Clip path group@2x

T-Update

Information about vulnerabilities

This live blog contains information regarding the ProxyRelay vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 21, 2022.

Update October 21, 2022

12:30 | In August 2021, the first three Microsoft Exchange Server vulnerabilities in a series of four were published by Devcore. This week, on the 19th of October 2022, Devcore published a blog on the fourth vulnerability called ProxyRelay. The blog can be found here: https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/

The blog describes four vulnerabilities. Currently, there are no reports on exploitation of ProxyRelay in the wild. However, with the details provided by the blog, it is likely that exploits will be developed.

Microsoft has published security updates for Microsoft Exchange Server 2013, 2016 and 2019 and supported Microsoft Windows products. It is highly recommended to apply these patches during your regular periodic patch cycle.

Available information is currently limited. This blog will be updated as more information becomes available.

Customized cyber security

Background

This week, on the 19th of October 2022, Devcore published a blog on the fourth vulnerability called ProxyRelay. The blog can be found here: https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/ The blog describes four vulnerabilities. Currently, there are no reports on exploitation of ProxyRelay in the wild. However, with the details provided by the blog, it is likely that exploits will be developed.

Risk

ProxyRelay consists of multiple vulnerabilities and could better be classified as an attack surface than a single bug. Based on the current insights, it is possible to bypass authentication, access data (like emails) and execute code without user-interaction.

Currently, there are no reports on exploitation of ProxyRelay in the wild and exploitation on short term is not expected. Although, this might change based on the details published in the blog by Devcore.

Advice

ProxyRelay consist of four vulnerabilities, three of which are currently registered as a CVE:

  • CVE-2021-33768 – Relay to Exchange FrontEnd
  • CVE-2022-21979 – Relay to Exchange BackEnd
  • CVE-2021-26414 – Relay to Exchange DCOM
  • CVE-2022-RESERVED – Relay to other services of Exchange


CVE CVE published CVE last modified CVSS score EPSS score EPSS percentile
CVE-2021-26414 2021-06-08 2022-09-12 6,5 0,02844 0,82629
CVE-2021-33768 2021-07-14 2022-05-03 8 0,0115 0,5942
CVE-2022-21979 2022-08-09 2022-09-22 5,7 0,0115 0,5942

Based on the current CVSS and EPSS scores, the vulnerabilities on themselves do not seem critical. However, it is the combination of the vulnerabilities and the ProxyRelay attack surface that contains the real threat. That is why Devcore reported the vulnerability in June 2021 to Microsoft and published their blog more than a year later.

Microsoft released security patches as part of the Exchange August 2022 Security Updates for the following versions of Microsoft Exchange Server:

  • Microsoft Exchange Server 2013 CU23
  • Microsoft Exchange Server 2016 CU22 and CU23
  • Microsoft Exchange Server 2019 CU11 and CU12

Additionally, it is advised to apply the Cumulative Security Updates for Microsoft Windows of the Microsoft Exchange Server of at least June 2022.

Although the upgrade of an Exchange Server can be a challenge, it is highly recommended to apply the patches. While there are no reports of Exploitation in the wild, it is likely exploit methods will be developed after publication of ProxyRelay details.

Ellipse 6

Sign up to receive T-Updates

Receive the latest vulnerabilities in your email every Wednesday

More than 1,000 organisations have already joined us.

Tesorion gebruikt jouw gegevens voor het versturen van de gevraagde informatie. Daarnaast worden je gegevens mogelijk gebruikt voor commerciële opvolging. Je kunt je op elk gewenst moment hiervoor afmelden via de link in de e-mail. Lees voor meer informatie ons privacybeleid.

Ellipse 6