Technical Advisory: Proxy*Hell Exploit Chains in the Wild

– ProxyShell exploit chainMicrosoft Exchange is an ideal target for these exploit chains for a few different reasons:There is a complex network of frontend and backend services, with legacy code to provide backward compatibility (many to many relationships)Backend services trust the requests from the front-end CAS layer - in the case of an SSRF attack, a valid Kerberos token is generated by CASMultiple backend services that are running as Exchange Server itself (SYSTEM account)Remote PowerShell (RPS) includes hundreds of PowerShell cmdletsIn a relatively short time, multiple combinations of vulnerabilities have been discovered:ProxyLogon – The initial exploit chain was a combination of CVE-2021-26855 and CVE-2021-27065. Microsoft Exchange is an example of an application that is using proxy services to shield the sensitive backend from the untrusted public network. 4 – An example SSRF attack targeting proxy service endpointProxy attacks on Microsoft Exchange – How it started …Most of the vulnerabilities discovered by security researchers are based on flawed implementations – for example, memory bugs or code injections.