Patch Exchange Server now: Attackers are actively looking for new vulnerabilities


Microsoft Exchange Server is a popular target for IT criminals. The mail server is widespread in companies and authorities and is often a gateway into their networks. Last week, the security researcher Orange Tsai at the Black Hat 2021 conference new attacks on the software. Only a few days later, apparently a targeted search is being made for the gap, as operators of honeypots describe. Admins should supply the servers immediately with all available updates. The updates appeared months ago and close the gaps.

Orange Tsai had to combine several problems, as he describes in his lecture, in order to gain access from outside as an unauthenticated user and to equip himself with more rights. The weak point was in the Exchange Client Access Service (CAS). It handles incoming traffic for various protocols. The open gate was the autodiscover function. Mail clients use the Autodiscover file to call up details about the server during setup, saving the user from having to type in the server address, port and other details.

There were three CVE numbers for the problems that go down in history under the name ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). They were repaired by Microsoft in April and May with KB5001779 and KB5003435. Microsoft patched the first two holes before Tsai reported them. Microsoft must have found out about it in another way. Anyone who has not patched their servers that are connected to the Internet since then has to do so quickly.

Only a few days after the lecture at Black Hat, the IT security expert observed Kevin Beaumont on his Exchange server, which he set up as a honeypot, entries in the log in which exactly the Autodiscover gap was tried. This indicates that the attackers are also following the presentations at security conferences and quickly adapting their automatic tests.

Security researcher Orange Tsai, meanwhile, cannot hope for a reward from Microsoft’s bug bounty program. Exchange Server is not covered by the program.


To home page