Microsoft Exchange Proxyshell Vulnerability
What is the September 2021 Microsoft Exchange Proxyshell Vulnerability?
Exchange servers are under attack, again. These are not the Hafnium Webshells, these are Proxyshells that are being used to compromise onsite Exchange environments. Microsofts latest patch may not be effective in keeping your Exchange environment safe.
Indicators of compromise:
One indicator of compromise is draft emails that were not created by the mailbox owner.
Associated CVE’s:
Is there a patch available?
There was a patch made available by Microsoft on August 24th 2021. These patches and vulnerabilities are now under review by Microsoft, so it is unclear if these vulnerabilities are still being exploited despite the patch.
Where to look for the Proxyshell IOC’s:
C:inetpubwwwrootaspnet_client
C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth
C:WindowsSystem32inetsrvConfigapplicationHost.config
C:inetpubtempapppoolsMSExchangeECPAppPoolMSExchangeECPAppPool.config
C:ProgramData
C:UsersAll UsersCOM
C:UsersAll UsersCOM1
C:UsersAll UsersCON
C:UsersAll UsersWHO
C:UsersAll UsersXYZ
C:UsersAll UsersZOO
C:UsersAll UsersZING
C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyecpauth
What to do if you suspect you have been compromised:
If you have found draft emails that just appeared or any of the Proxyshell IOC’s listed on this page, then you may be compromised.
Contact us, we can help. 612-399-9680
How To Fix the September 2021 Microsoft Exchange Proxyshell Vulnerability
What do you need to know before you begin?
- Estimated time to complete: 180 minutes
- The account that you’ll use to install the CU requires membership in the Exchange Organization Management role group. If the CU requires Active Directory schema updates or domain preparation, the account will likely require additional permissions. For more information, see Prepare Active Directory and domains for Exchange Server.
- Check the Release notes before you install the CU.
- Verify the target server meets the potentially new system requirements and prerequisites for the CU. For more information, see Exchange Server system requirements and Exchange Server prerequisites.
Caution
- Any customized Exchange or Internet Information Server (IIS) settings that you made in Exchange XML application configuration files on the Exchange server (for example, web.config files or the EdgeTransport.exe.config file) will be overwritten when you install an Exchange CU. Be sure save this information so you can easily re-apply the settings after the install. After you install the Exchange CU, you need to re-configure these settings.
- After you install an Exchange CU, you need to restart the computer so that changes can be made to the registry and operating system.
Best Practices
- Always keep your servers as up to date as possible. This especially applies to the installation of a new server.
- Always install the latest Cumulative Update when creating a new server.
- There is no need to install the RTM build or previous builds and then upgrade to the latest Cumulative Update. This is because each Cumulative Update is a full build of the product.
- Reboot the server beforehand.
- Test the new update in a non-production environment first to avoid any problems in the new update affecting the running production environment.
- Have a tested and working backup of both the Active Directory and your Exchange Server.
- Backup any and all customizations. They will not survive the update.
- Use an elevated command prompt to run the Cumulative Update.
- Temporarily disable any anti-virus software during the update process.
- Reboot your server upon completion of the update.
Have proxyshell questions or need guidance?
Install an Exchange CU using the Setup Wizard
1. Download the latest version of Exchange on the target computer. For more information, see Updates for Exchange Server.
2. In File Explorer, right-click on the Exchange CU ISO image file that you downloaded, and then select Mount. In the resulting virtual DVD drive that appears, start Exchange Setup by double-clicking Setup.exe.
3. The Exchange Server Setup wizard opens. On the Check for Updates? page, choose one of the following options, and then click Next to continue:
- Connect to the Internet and check for updates: We recommend this option, which searches for updates to the version of Exchange that you’re currently installing (it doesn’t detect newer CUs). This option takes you to the Downloading Updates page that searches for updates. Click Next to continue.
- Don’t check for updates right now
4. The Copying Files page shows the progress of copying files to the local hard drive. Typically, the files are copied to %WinDir%TempExchangeSetup, but you can confirm the location in the Exchange Setup log at C:ExchangeSetupLogsExchangeSetup.log.
5. The Upgrade page shows that Setup detected the existing installation of Exchange, so you’re upgrading Exchange on the server (not installing a new Exchange server). Click Next to continue.
6. On the License Agreement page, review the software license terms, select I accept the terms in the license agreement, and then click Next to continue.
7. On the Readiness Checks page, verify that the prerequisite checks completed successfully. If they haven’t, the only option on the page is Retry, so you need to resolve the errors before you can continue.
After you resolve the errors, click Retry to run the prerequisite checks again. You can fix some errors without exiting Setup, while the fix for other errors requires you to restart the computer. If you restart the computer, you need to start over at Step 1.
When no more errors are detected on the Readiness Checks page, the Retry button changes to Install so you can continue. Be sure to review any warnings, and then click Install to install Exchange.
8. On the Setup Progress page, a progress bar indicates how the installation is proceeding.
9. On the Setup Completed page, click Finish, and then restart the computer.
Contact us for advanced Exchange CU installation
Description of the security update for Microsoft Exchange Server 2016: July 13, 2021 (KB5004779)
Security Update 1 for Exchange Server 2016 Cumulative Update 21 resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):
- CVE-2021-31196 | Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-31206 | Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-33768 | Microsoft Exchange Server Elevation of Privilege Vulnerability
Security Update 3 for Exchange Server 2016 Cumulative Update 20 resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):
- CVE-2021-31196 | Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-31206 | Microsoft Exchange Server Remote Code Execution Vulnerability
Improvements in this update
- The Exchange Server version number is now added to the HTTP response reply header. You can use this information to validate the security update status of Exchange-based servers in your network.
Important: To be able to successfully install this security update, you must first follow the steps in this article to make sure that the server authentication certificate is present and is not expired. If the OAuth certificate is not present or is expired, republish the certificate before you install this update.
Known issues in this update
- Issue 1
When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.
When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working.
This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.
Note: This issue does not occur if you install the update through Microsoft Update.
To avoid this issue, follow these steps to manually install this security update:
- Select Start , and type cmd .
- In the results, right-click Command Prompt , and then select Run as administrator .
- If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue .
- Type the full path of the .msp file, and then press Enter.
- Issue 2
Exchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state.To fix this issue, use Services Manager to restore the startup type to Automatic , and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator . - Issue 3
When you block third-party cookies in a web browser, you might be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that’s hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser. - Issue 4
When you try to request free/busy information for a user in a different forest in a trusted cross-forest topology, the request fails and generates a “(400) Bad Request” error message. For more information and workarounds to this issue, see “(400) Bad Request” error during Autodiscover for per-user free/busy in a trusted cross-forest topology . - Issue 5
After you install Microsoft Exchange Server 2019, 2016, or 2013, you can’t access Outlook Web App (OWA) or Exchange Control Panel (ECP). For more information, see Can’t sign in to Outlook on the web or EAC if Exchange Server OAuth certificate is expired. - Issue 6
After you install the July 2021 security update for Microsoft Exchange Server 2019, 2016, or 2013, you can’t log in to Outlook Web App (OWA) or Exchange Control Panel (ECP). For more information, see the following Exchange Team Blog article: Released: July 2021 Exchange Server Security Updates.
How to get and install the update
Method 1: Microsoft Update
This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ .
Method 2: Microsoft Update Catalog
To get the standalone package for this update, go to the Microsoft Update Catalog website.
Method 3: Microsoft Download Center
You can get the standalone update package through the Microsoft Download Center.
- Download Security Update 1 for Exchange Server 2016 Cumulative Update 21 (KB5003435)
- Download Security Update 3 for Exchange Server 2016 Cumulative Update 20 (KB5003435)