Tens of thousands of Microsoft Exchange servers are still vulnerable to both the infamous ProxyLogon and ProxyShell vulnerabilities, despite patches being available for several months.
ProxyLogon refers primarily to CVE-2021-26855, a server-side request forgery vulnerability that impacts on-premises Microsoft Exchange servers and was disclosed and patched along with three closely related vulnerabilities back in March. Tens of thousands of organizations are estimated to have been impacted by these vulnerabilities.
ProxyShell, meanwhile, is the name given to three other Exchange Server vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Together, they allow for remote code execution and escalation of privileges. The first two were patched in April and disclosed in July, while CVE-2021-31207 was disclosed and patched in May.
According to a recent Shodan scan of 239,426 internet-facing Exchange servers, 13,662 were still vulnerable to ProxyLogon and its related CVEs. Threat intelligence vendor RiskIQ told SearchSecurity that it found 15,100 vulnerable servers in June.
Meanwhile, 48,355 servers were vulnerable to all three ProxyShell flaws.
The ProxyShell vulnerabilities gained greater attention after a Black Hat session on Aug. 5 when a Devcore security researcher known as "Orange Tsai," who is credited with the discovery of the exploit chain, demonstrated the flaws and argued that ProxyLogon was only the tip of the iceberg when it came to security issues in Microsoft Exchange Server. Two different researchers published a working exploit, based on Orange Tsai's presentation, on Aug. 6.
Security researcher Jan Kopriva, who is the team lead of incident response and offensive security at Alef Nula as well as a handler at the SANS Internet Storm Center (ISC), published an article last week on the number of remaining ProxyShell servers.
The Shodan scan results referenced in his article -- around 30,000 -- are much lower than the most recent scan results; Kopriva told SearchSecurity via Twitter direct message that this was due to a now-fixed bug in Shodan. However, he added that while the numbers are informational and give a sense of the truth, Shodan's scans are imperfect and should not be treated as "the one and only truth."
Kopriva had a number of observations about the data. For example, he felt based on the data that the number of honeypots was likely limited, and estimated that 90-99% of these 48,000 servers were from active organizations.
"An on-premise Exchange isn't something that most people would spin up when they'd want to run their own e-mail server, and most non-active/defunct businesses and organizations would probably need to shut their Exchanges (as well as the rest of their systems) down when they stopped operating," Kopriva said. "That said, there are bound to be at least some 'forgotten' systems -- Exchanges that organizations stopped using (e.g., when they moved to Exchange Online) and forgot to turn off which, over time, became part of their 'shadow IT.'"
Researcher Kevin Beaumont tweeted last Friday that the number of honeypots is "a relatively small number," commenting that almost all of the exposed servers are on business ADSL ISPs and that only a few were on virtual private servers.
Kopriva said there should be more direct outreach to those organizations running servers vulnerable to ProxyLogon and ProxyShell, though he added that these vulnerabilities are, like Orange Tsai said, only "the tip of the proverbial iceberg."
"In case of ProxyLogon (and hopefully ProxyShell as well, though it's hard to guess at this point), the media attention given to it, coupled with the threat of imminent exploitation, led to quite fast patching," he said. "There are, however, hundreds of thousands of systems accessible from the internet and are affected by other, older critical vulnerabilities -- those that never got so much media attention and for which publicly available exploits are not (yet) available."
Kopriva also called attention to the problem of technical debt.
"This is most definitely something that we do need to address, and sooner rather than later," he said. "Otherwise, to paraphrase [SANS fellow] Johannes Ullrich, we are basically leaving loaded shotguns lying around the internet and are hoping that no one picks one up."
Alexander Culafi is a writer, journalist and podcaster based in Boston.