Browse Definitions :

Getty Images/iStockphoto

ProxyShell vs. ProxyLogon: What's the difference?

ProxyShell and ProxyLogon both affect Microsoft Exchange Servers, but they work in different ways.

ProxyShell and ProxyLogon are both exploits against on-premises Microsoft Exchange Servers, discovered in 2021. Both vulnerabilities enable threat actors to perform remote code execution on vulnerable systems.

Any organization that has not patched its Exchange Servers since July 2021 may be susceptible to an attack.

It is important to understand how each type of attack works. Here are their similarities and differences:

ProxyLogon

Orange Tsai, principal security researcher at Devcore, is credited with discovering the ProxyLogon exploit. He described it as possibly being the most severe vulnerability in the history of Microsoft Exchange.

ProxyLogon is the name that was given to Microsoft vulnerability number CVE-2021-26855. The ProxyLogon attack can be used against unpatched mail servers running Microsoft Exchange Server 2013, 2016 or 2019 that are set up to receive untrusted connections from the outside world. This enables threat actors to execute commands on unpatched, on-premises Exchange Servers by sending commands across Port 443. ProxyLogon is known as a pre-authenticated vulnerability. This means an attacker does not need to log on or complete any sort of authentication process to execute code remotely.

Read more here about port numbers.

The best thing that organizations can do to protect themselves against this exploit is keep their systems updated with the latest patches. They should also avoid making Exchange Server directly accessible from the internet.

ProxyShell

The ProxyShell exploit was discovered more recently than ProxyLogon. ProxyShell is an attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

Although ProxyShell is a completely different exploit than ProxyLogon, many security researchers consider ProxyLogon to be the genesis of ProxyShell. ProxyLogon acted as something of a proof of concept that eventually led to the creation of ProxyShell.

ProxyShell targets on-premises Exchange Servers running Exchange Server 2013, 2016 or 2019. The threat specifically targets Exchange Client Access Servers -- or CAS servers, as Microsoft often calls them. Microsoft initially introduced CAS servers as front-end servers to protect Exchange mailbox servers.

The idea was that placing mailbox servers behind one or more client access servers kept mailbox servers from being directly accessible from the internet. But the ProxyShell exploit takes advantage of vulnerabilities that exist within Client Access Servers, using them as a tool to remotely execute code on the CAS servers. Some attackers also use the ProxyShell exploit to plant ransomware on vulnerable systems.

Kevin Beaumont, senior threat intelligence analyst at Microsoft, described the ProxyShell vulnerabilities as being worse than ProxyLogon. He said they are more exploitable because most organizations haven't patched, and some threat actors who are exploiting the ProxyShell vulnerabilities are using them as a tool for planting and executing LockFile ransomware.

Attackers know that most Microsoft Exchange Client Access Servers are accessible from the internet. They also know that client access servers are accessible over TCP Port 443. This makes it easy for threat actors to connect to a CAS server and run some simple tests to see if the server is vulnerable to the ProxyShell exploits.

The best defense against ProxyShell is to make sure that Exchange Servers are up to date with the latest Microsoft security patches. Although ProxyShell specifically targets client access servers, it is equally important to keep mailbox servers up to date with the latest patches.

Dig Deeper on Microsoft

SearchNetworking
SearchSecurity
  • man in the browser (MitB)

    Man in the browser (MitB) is a security attack where the perpetrator installs a Trojan horse on the victim's computer that is ...

  • Patch Tuesday

    Patch Tuesday is the unofficial name of Microsoft's monthly scheduled release of security fixes for the Windows operating system ...

  • parameter tampering

    Parameter tampering is a type of web-based cyber attack in which certain parameters in a URL are changed without a user's ...

SearchCIO
  • chief procurement officer (CPO)

    The chief procurement officer, or CPO, leads an organization's procurement department and oversees the acquisitions of goods and ...

  • Lean Six Sigma

    Lean Six Sigma is a data-driven approach to improving efficiency, customer satisfaction and profits.

  • change management

    Change management is a systematic approach to dealing with the transition or transformation of an organization's goals, processes...

SearchHRSoftware
SearchCustomerExperience
  • clickstream data (clickstream analytics)

    Clickstream data and clickstream analytics are the processes involved in collecting, analyzing and reporting aggregate data about...

  • neuromarketing

    Neuromarketing is the study of how people's brains respond to advertising and other brand-related messages by scientifically ...

  • contextual marketing

    Contextual marketing is an online marketing strategy model in which people are served with targeted advertising based on their ...

Close