笔者将相关信息进行简要整理发现,未经身份验证的攻击者可以通过仅打开的443端口在Microsoft Exchange Server上执行任意命令,危害严重!预计EXP很快将出现,建议尽快修复。
Q:为什么将其称为ProxyLogon?它与ZeroLogon有关吗?
A:不,完全无关。我们将其称为ProxyLogon,因为攻击利用了Exchange的Proxy架构和登录机制。
Q:为什么ProxyLogon很特别?
A:作为企业最知名的邮件服务器,Microsoft Exchange长期以来一直是攻击者的圣杯,最近一次Exchange 的RCE漏洞还要追溯到NSA 方程式组织的EnglishmansDentist,而受EnglishmansDentist影响的主要是很老版本的Exchange 2003 ,而ProxyLogon影响范围远超EnglishmansDentist,难道ProxyLogon还不够特别么?
Q: 在哪里可以找到更多信息?
A: 将来我们将发布技术论文。
Q: 哪些版本的Exchange Server受到影响?
A: 该漏洞是由于Exchange Server 2013的Client Access Service架构发生了重大变化而导致的,而较早版本的Exchange Server 2010于2020年10月EOS。所以所有主流的Exchange Server都容易受到攻击!
确切的易受攻击的版本表:
Exchange Server 2019 <15.02.0792.010
Exchange Server 2019 <15.02.0721.013
Exchange Server 2016 <15.01.2106.013
Exchange Server 2013 <15.00.1497.012
Q: 我该如何修复这个漏洞?
A:Microsoft已于2021年3月3日发布了安全更新程序来修复此漏洞。请尽快更新您的Exchange Server!
Q: ProxyLogon是内存损坏错误吗?
A: 与EnglishmansDentist不同,ProxyLogon完全是关于Web上的逻辑错误的。这意味着漏洞利用是可靠的,并且容易被黑客利用。
Q: 谁发现了ProxyLogon漏洞?
A:ProxyLogon由DEVCORE研究团队的Orange Tsai发现。如有疑问,您可以通过research@devco.re与我们联系。
漏洞披露时间线:
| October 01, 2020 | DEVCORE started reviewing the security on Microsoft Exchange Server |
| December 10, 2020 | DEVCORE discovered the first pre-auth proxy bug (CVE-2021-26855) |
| December 27, 2020 | DEVCORE escalated the first bug to an authentication bypass to become admin |
| December 30, 2020 | DEVCORE discovered the second post-auth arbitrary-file-write bug (CVE-2021-27065) |
| December 31, 2020 | DEVCORE chained all bugs together to a workable pre-auth RCE exploit |
| January 05, 2021 | DEVCORE sent (18:41 GMT+8) the advisory and exploit to Microsoft through the MSRC portal directly |
| January 06, 2021 | MSRC acknowledged the pre-auth proxy bug (MSRC case 62899) |
| January 06, 2021 | MSRC acknowledged the post-auth arbitrary-file-write bug (MSRC case 63835) |
| January 08, 2021 | MSRC confirmed the reported behavior |
| January 11, 2021 | DEVCORE attached a 120-days public disclosure deadline to MSRC and checked for bug collision |
| January 12, 2021 | MSRC flagged the intended deadline and confirmed no collision at that time |
| February 02, 2021 | DEVCORE checked for the update |
| February 02, 2021 | MSRC replied "they are splitting up different aspects for review individually and got at least one fix which should meet our deadline" |
| February 12, 2021 | MSRC asked the title for acknowledgements and whether we will publish a blog |
| February 13, 2021 | DEVCORE confirmed to publish a blog and said will postpone the technique details for two weeks, and will publish an easy-to-understand advisory (without technique details) instead |
| February 18, 2021 | DEVCORE provided the advisory draft to MSRC and asked for the patch date |
| February 18, 2021 | MSRC pointed out a minor typo in our draft and confirmed the patch date is 3/9 |
| February 27, 2021 | MSRC said they are almost set for release and wanted to ask if we're fine with being mentioned in their advisory |
| February 28, 2021 | DEVCORE agreed to be mentioned in their advisory |
| March 03, 2021 | MSRC said they are likely going to be pushing out their blog earlier than expected and won’t have time to do an overview of the blog |
| March 03, 2021 | MSRC published the patch and advisory and acknowledged DEVCORE officially |
| March 03, 2021 | DEVCORE has launched an initial investigation after informed of active exploitation advisory from Volexity |
| March 04, 2021 | DEVCORE has confirmed the in-the-wild exploit was the same one reported to MSRC |
| March 05, 2021 | DEVCORE hasn't found concern in the investigation so far |
