[ SB 21.14 ] ProxyShell Exchange - RCE ( CVE-2021-34473 CVE-2021-34523 CVE-2021-31207 )

The next Mass-Exploitation of Exchange-Servers with a Pre-Auth-RCE has been sighted, chaining multiple vuln to achieve RCE and install Webshells onto affected machines.

ProxyShell is a a chain of:

CVE-2021-34473
CVE-2021-34523
CVE-2021-31207

Luckily, ProxyShell only works on Exchange 2016 and later and not on earlier versions, even if unpatched. Read this analysis by orange tsai to understand the AttackSurface and where the Bug originate from; more details and links below under References

Expect more malicious activities very soon, since public POCs are available since 2021-08-09.

All vulns had been patched in May, but still 13.000 Exchange-Servers are exploitable (vulnscan-results, see below, shodan states 72k as of 2021-08-11).

Malicious activities has been seen in July already.

Early detection

kb-0 early detection 2021-08-02

kb-1 early detection 2021-08-02

some facts

fr-1 some facts

vulnscan - result by country and network

SUMMARY for ms_exchange_proxyshell_vulnscan / CVE-2021-34473

IPs       : 13565
Networks  : 7728 
ASNs      : 3484
Countries : 176


Top 100 Countries
Country |  Count   
--------+-----------
     US |   3432 
     DE |   2067 
     GB |    814 
     FR |    649 
     RU |    577 
     IT |    571 
     CA |    490 
     CH |    409 
     AT |    380 
     NL |    361 
     AU |    327 
     HK |    149 
     BE |    138 
     TR |    134 
     CZ |    119 
     TW |    117 
     SE |    116 
     BR |    111 
     PT |    105 
     ES |    102 
     IR |     89 
     HU |     85 
     IN |     84 
     ZA |     83 
     DK |     70 
     AE |     62 
     MX |     61 
     PL |     60 
     IL |     59 
     VN |     50 
     AR |     49 
     NO |     49 
     SG |     49 
     TH |     48 
     NZ |     47 
     UA |     46 
     ID |     46 
     GR |     45 
     MY |     44 
     EG |     42 
     KR |     41 
     SA |     41 
     IE |     39 
     LU |     39 
     RO |     38 
     BG |     36 
     KW |     35 
     MU |     35 
     SI |     28 
     PK |     26 
     HR |     25 
     FI |     24 
     SK |     24 
     LB |     24 
     OM |     23 
     CY |     22 
     JP |     20 
     JO |     20 
     PE |     19 
     PH |     19 
     KZ |     19 
     TN |     18 
     MA |     18 
     CL |     17 
     AZ |     17 
     BH |     17 
     RS |     16 
     CO |     16 
     KE |     16 
     VE |     15 
     LV |     15 
     KH |     14 
     LT |     14 
     AL |     13 
     QA |     13 
     GE |     12 
     EE |     11 
     CI |     11 
     NA |     11 
     MT |     10 
     SN |     10 
     PG |     10 


Top 100 ASNs

ASN_NR    |  Count | ASNName 
----------+--------+-----------------------------------
     3320 |    990 | DTAG Internet service provider operations, DE 
     7922 |    424 | COMCAST-7922, US 
     3209 |    268 | VODANET International IP-Backbone of Vodafone, DE 
     3215 |    232 | France Telecom - Orange, FR 
     7018 |    220 | ATT-INTERNET4, US 
     3303 |    159 | SWISSCOM Swisscom Switzerland Ltd, CH 
     2856 |    145 | BT-UK-AS BTnet UK Regional network, GB 
     8447 |    145 | A1TELEKOM-AT A1 Telekom Austria AG, AT 
    22773 |    141 | ASN-CXA-ALL-CCI-22773-RDC, US 
     3269 |    137 | ASN-IBSNAZ, IT 
      701 |    118 | UUNET, US 
    10796 |    103 | TWC-10796-MIDWEST, US 
    20115 |    103 | CHARTER-20115, US 
     8075 |     91 | MICROSOFT-CORP-MSN-AS-BLOCK, US 
      209 |     82 | CENTURYLINK-US-LEGACY-QWEST, US 
     3549 |     80 | LVLT-3549, US 
     3462 |     79 | HINET Data Communication Business Group, TW 
    12874 |     78 | FASTWEB, IT 
    24940 |     69 | HETZNER-AS, DE 
   201429 |     66 | TRANSAVTOLIZ-AS, RU 
     1221 |     65 | ASN-TELSTRA Telstra Corporation Ltd, AU 
      577 |     64 | BACOM, CA 
      174 |     61 | COGENT-174, US 
     5432 |     61 | PROXIMUS-ISP-AS, BE 
      852 |     59 | TELUS Communications, CA 
     8412 |     57 | TMA Magenta Telekom, AT 
     6327 |     56 | SHAW, CA 
     9145 |     56 | EWETEL Cloppenburger Strasse 310, DE 
    33915 |     55 | TNF-AS, NL 
    11427 |     53 | TWC-11427-TEXAS, US 
     5413 |     53 | AS5413, GB 
    30722 |     52 | VODAFONE-IT-ASN, IT 
     5089 |     51 | NTL, GB 
     6830 |     50 | LIBERTYGLOBAL Liberty Global formerly UPC Broadband Holding, aka AORTA, NL 
    15557 |     48 | LDCOMNET, FR 
     7029 |     47 | WINDSTREAM, US 
     5650 |     46 | FRONTIER-FRTR, US 
     6128 |     46 | CABLE-NET-1, US 
     8220 |     46 | COLT COLT Technology Services Group Limited, GB 
     8881 |     46 | VERSATEL, DE 
     1136 |     45 | KPN KPN National, NL 
     5384 |     44 | EMIRATES-INTERNET Emirates Internet, AE 
    33363 |     43 | BHN-33363, US 
     3352 |     43 | TELEFONICA_DE_ESPANA, ES 
    31655 |     41 | ASN-GAMMATELECOM, GB 
    16276 |     39 | OVH, FR 
     3356 |     39 | LEVEL3, US 
     8767 |     39 | MNET-AS Germany, DE 
    15525 |     38 | MEO-EMPRESAS, PT 
    34984 |     38 | TELLCOM-AS, TR 
     6848 |     38 | TELENET-AS, BE 
     4515 |     37 | ERX-STAR HKT Limited, HK 
    20001 |     34 | TWC-20001-PACWEST, US 
     9121 |     34 | TTNET, TR 
     9381 |     34 | HKBNES-AS-AP HKBN Enterprise Solutions HK Limited, HK 
      786 |     32 | JANET Jisc Services Limited, GB 
      812 |     32 | ROGERS-COMMUNICATIONS, CA 
    12389 |     31 | ROSTELECOM-AS, RU 
     5769 |     31 | VIDEOTRON, CA 
    11426 |     30 | TWC-11426-CAROLINAS, US 
    16509 |     30 | AMAZON-02, US 
    20676 |     29 | PLUSNET *****************, DE 
    42337 |     29 | RESPINA-AS, IR 
    60294 |     29 | DE-DGW Deutsche Glasfaser Wholesale Internet, DE 
     6871 |     29 | PLUSNET UK Internet Service Provider, GB 
    14265 |     28 | US-TELEPACIFIC, US 
     8422 |     28 | NETCOLOGNE, DE 
    21886 |     27 | MINDSHIFT, US 
     7545 |     27 | TPG-INTERNET-AP TPG Telecom Limited, AU 
    12552 |     26 | IPO-EU, SE 
    13037 |     26 | ZEN-AS Zen Internet - UK, GB 
    11351 |     25 | TWC-11351-NORTHEAST, US 
     8452 |     25 | TE-AS TE-AS, EG 
     8468 |     25 | ENTANET ENTANET International Limited, GB 
    16347 |     24 | RMI-FITECH, FR 
    35612 |     24 | NGI-AS, IT 
     3758 |     24 | SINGNET SingNet, SG 
     1680 |     23 | NV-ASN CELLCOM ltd., IL 
     1836 |     23 | GREEN green.ch AG Autonomous System, CH 
     3216 |     22 | SOVAM-AS, RU 
     6799 |     22 | OTENET-GR Athens - Greece, GR 
    30036 |     21 | MEDIACOM-ENTERPRISE-BUSINESS, US 
     4788 |     21 | TMNET-AS-AP TM Net, Internet Service Provider, MY 
     6661 |     21 | EPT-LU Entreprise des P. et T. Luxembourg, LU 
    12312 |     20 | ECOTEL, DE 
    12353 |     20 | VODAFONE-PT Vodafone Portugal, PT 
     5610 |     20 | O2-CZECH-REPUBLIC, CZ 
     8151 |     20 | Uninet S.A. de C.V., MX 
     8399 |     20 | SEWAN-, FR 
     8437 |     20 | UTA-AS, AT 
     8758 |     20 | IWAY, CH 
    21334 |     19 | ASN-VODAFONE-, HU 
    25180 |     19 | EXPONENTIAL-E-AS, GB 
    46887 |     19 | LIGHTOWER, US 
     5410 |     19 | BOUYGTEL-ISP, FR 
     5588 |     19 | GTSCE GTS Central Europe Antel Germany, CZ 
    60175 |     19 | WAG Bredenhop 20, DE 
     6805 |     19 | TDDE-ASN1, DE 
     8426 |     19 | CLARANET-AS ClaraNET LTD, GB 
    11215 |     18 | LOGIXCOMM-AS, US 
    12399 |     18 | SCAN-PLUS-AS scanplus GmbH, DE 
    15589 |     18 | ASN-CLOUDITALIA, IT 
    16019 |     18 | VODAFONE-CZ-AS, CZ 
    28685 |     18 | ASN-ROUTIT, NL 
    20746 |     17 | ASN-IDC T.NO.OM.I.NC, IT 
    21056 |     17 | ASN-WELCOMEITALIA, IT 
     3265 |     17 | XS4ALL-NL Amsterdam, NL 
     3292 |     17 | TDC TDC AS, DK 
    42652 |     17 | DELUNET, DE 
     4739 |     17 | INTERNODE-AS Internode Pty Ltd, AU 
    12876 |     16 | Online SAS, FR 
     2116 |     16 | ASN-CATCHCOM, NO 
    45899 |     16 | VNPT-AS-VN VNPT Corp, VN 
     4766 |     16 | KIXS-AS-KR Korea Telecom, KR 
    50340 |     16 | SELECTEL-MSK, RU 
     5466 |     16 | EIRCOM Internet House, IE 
    10143 |     15 | EXETEL-AS-AP Exetel Pty Ltd, AU 
    12400 |     15 | PARTNER-AS, IL 
     4230 |     15 | CLARO S.A., BR 
    58224 |     15 | TCI, IR 
      680 |     15 | DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE 
    12271 |     14 | TWC-12271-NYC, US 
    12322 |     14 | PROXAD, FR 
     2860 |     14 | NOS_COMUNICACOES, PT 
    36937 |     14 | Neotel-AS, ZA 
     4755 |     14 | TATACOMM-AS TATA Communications formerly VSNL is Leading ISP, IN 
     6181 |     14 | FUSE-NET, US 
     7992 |     14 | COGECOWAVE, CA 
     9105 |     14 | TISCALI-UK TalkTalk Communications Limited, GB 
    10103 |     13 | HKBN-AS-AP HK Broadband Network Ltd., HK 
    11232 |     13 | MIDCO-NET, US 
     1257 |     13 | TELE2, EU 
    13649 |     13 | ASN-VINS, US 
    15830 |     13 | EQUINIX-CONNECT, GB 
    16814 |     13 | NSS S.A., AR 
    19108 |     13 | SUDDENLINK-COMMUNICATIONS, US 
    20632 |     13 | PETERSTAR-AS Saint-Petersburg, RU 
   206509 |     13 | KCOM-UK-AS, GB 
    20860 |     13 | IOMART-AS, GB 
    25540 |     13 | ALPHALINK-AS, FR 
    28885 |     13 | OMANTEL-NAP-AS OmanTel NAP, OM 
     5396 |     13 | AS-IRIDEOS-MC, IT 
     5483 |     13 | MAGYAR-TELEKOM-MAIN-AS Magyar Telekom Nyrt., HU 
     6461 |     13 | ZAYO-6461, US 
     8359 |     13 | MTS, RU 
     8445 |     13 | SALZBURG-AG-AS, AT 
    15924 |     12 | BORUSANTELEKOM-AS, TR 
    22652 |     12 | FIBRENOIRE-INTERNET, CA 
     2764 |     12 | AAPT AAPT Limited, AU 
    31027 |     12 | GLOBALCONNECT-AS, DK 
     3301 |     12 | TELIANET-SWEDEN Telia Company, SE 
     9498 |     12 | BBIL-AP BHARTI Airtel Ltd., IN 
    14618 |     11 | AMAZON-AES, US 
    15802 |     11 | DU-AS1, AE 
    15943 |     11 | WTNET-AS wilhelm.tel GmbH, DE 
    16735 |     11 | ALGAR TELECOM SA, BR 
    20811 |     11 | BRENNERCOM-AS, IT 
    21528 |     11 | ALASCONNECT, US 
    23498 |     11 | CDSI, CA 
    35540 |     11 | OVH-TELECOM, FR 
    38794 |     11 | UIH-BBB-AS-AP UIH, TH 
    47217 |     11 | PLANETEL-SPA, IT 
     5056 |     11 | AUREON-5056, US 
     6730 |     11 | SUNRISE, CH 
     8551 |     11 | BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone, IL 
     9063 |     11 | SAARGATE-AS VSE NET GmbH, DE 
     9269 |     11 | HKBN-AS-AP Hong Kong Broadband Network Ltd., HK 
     9919 |     11 | NCIC-TW New Century InfoComm Tech Co., Ltd., TW 
    11404 |     10 | AS-WAVE-1, US 
    11492 |     10 | CABLEONE, US 
    12350 |     10 | VTX-NETWORK, CH 
    12430 |     10 | VODAFONE_ES, ES 
     1267 |     10 | ASN-WINDTRE IUNET, IT 
    18403 |     10 | FPT-AS-AP The Corporation for Financing & Promoting Technology, VN 
    23005 |     10 | SWITCH-LTD, US 
    29177 |     10 | ASCOTLC-AS Telecoms Services Provider, IT 
    31115 |     10 | INTRED-AS, IT 
     3243 |     10 | MEO-RESIDENCIAL, PT 
    37100 |     10 | SEACOM-AS, MU 
     3741 |     10 | IS, ZA 
     3786 |     10 | LGDACOM LG DACOM Corporation, KR 
     4764 |     10 | WIDEBAND-AS-AP Aussie Broadband, AU 
     4826 |     10 | VOCUS-BACKBONE-AS Vocus Connect International Backbone, AU 
     5602 |     10 | AS-IRIDEOS-KP, IT 
     6713 |     10 | IAM-AS, MA 
     6866 |     10 | CYTA-NETWORK Internet Services, CY

References

Fragen? Kontakt: info@zero.bs

Filed: Mon 09 August 2021 | Security Bulletin | Tags: rce 0day sb microsoft exchange

[ SB 21.14 ] ProxyShell Exchange - RCE ( CVE-2021-34473 CVE-2021-34523 CVE-2021-31207 )

Early detection

some facts

vulnscan - result by country and network

References

Main-Links

Blog

OSS & Projects