Browse Definitions :

Getty Images/iStockphoto

ProxyShell vs. ProxyLogon: What's the difference?

ProxyShell and ProxyLogon both affect Microsoft Exchange Servers, but they work in different ways.

ProxyShell and ProxyLogon are both exploits against on-premises Microsoft Exchange Servers, discovered in 2021. Both vulnerabilities enable threat actors to perform remote code execution on vulnerable systems.

Any organization that has not patched its Exchange Servers since July 2021 may be susceptible to an attack.

It is important to understand how each type of attack works. Here are their similarities and differences:

ProxyLogon

Orange Tsai, principal security researcher at Devcore, is credited with discovering the ProxyLogon exploit. He described it as possibly being the most severe vulnerability in the history of Microsoft Exchange.

ProxyLogon is the name that was given to Microsoft vulnerability number CVE-2021-26855. The ProxyLogon attack can be used against unpatched mail servers running Microsoft Exchange Server 2013, 2016 or 2019 that are set up to receive untrusted connections from the outside world. This enables threat actors to execute commands on unpatched, on-premises Exchange Servers by sending commands across Port 443. ProxyLogon is known as a pre-authenticated vulnerability. This means an attacker does not need to log on or complete any sort of authentication process to execute code remotely.

Read more here about port numbers.

The best thing that organizations can do to protect themselves against this exploit is keep their systems updated with the latest patches. They should also avoid making Exchange Server directly accessible from the internet.

ProxyShell

The ProxyShell exploit was discovered more recently than ProxyLogon. ProxyShell is an attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

Although ProxyShell is a completely different exploit than ProxyLogon, many security researchers consider ProxyLogon to be the genesis of ProxyShell. ProxyLogon acted as something of a proof of concept that eventually led to the creation of ProxyShell.

ProxyShell targets on-premises Exchange Servers running Exchange Server 2013, 2016 or 2019. The threat specifically targets Exchange Client Access Servers -- or CAS servers, as Microsoft often calls them. Microsoft initially introduced CAS servers as front-end servers to protect Exchange mailbox servers.

The idea was that placing mailbox servers behind one or more client access servers kept mailbox servers from being directly accessible from the internet. But the ProxyShell exploit takes advantage of vulnerabilities that exist within Client Access Servers, using them as a tool to remotely execute code on the CAS servers. Some attackers also use the ProxyShell exploit to plant ransomware on vulnerable systems.

Kevin Beaumont, senior threat intelligence analyst at Microsoft, described the ProxyShell vulnerabilities as being worse than ProxyLogon. He said they are more exploitable because most organizations haven't patched, and some threat actors who are exploiting the ProxyShell vulnerabilities are using them as a tool for planting and executing LockFile ransomware.

Attackers know that most Microsoft Exchange Client Access Servers are accessible from the internet. They also know that client access servers are accessible over TCP Port 443. This makes it easy for threat actors to connect to a CAS server and run some simple tests to see if the server is vulnerable to the ProxyShell exploits.

The best defense against ProxyShell is to make sure that Exchange Servers are up to date with the latest Microsoft security patches. Although ProxyShell specifically targets client access servers, it is equally important to keep mailbox servers up to date with the latest patches.

Dig Deeper on Microsoft

Networking
  • network interface card (NIC)

    A network interface card (NIC) is a hardware component, typically a circuit board or chip, installed on a computer so it can ...

  • User Datagram Protocol (UDP)

    User Datagram Protocol (UDP) is a communications protocol primarily used to establish low-latency and loss-tolerating connections...

  • Telnet

    Telnet is a network protocol used to virtually access a computer and provide a two-way, collaborative and text-based ...

Security
  • advanced persistent threat (APT)

    An advanced persistent threat (APT) is a prolonged and targeted cyber attack in which an intruder gains access to a network and ...

  • Mitre ATT&CK framework

    The Mitre ATT&CK (pronounced miter attack) framework is a free, globally accessible knowledge base that describes the latest ...

  • timing attack

    A timing attack is a type of side-channel attack that exploits the amount of time a computer process runs to gain knowledge about...

CIO
HRSoftware
  • employee resource group (ERG)

    An employee resource group is a workplace club or more formally realized affinity group organized around a shared interest or ...

  • employee training and development

    Employee training and development is a set of activities and programs designed to enhance the knowledge, skills and abilities of ...

  • employee sentiment analysis

    Employee sentiment analysis is the use of natural language processing and other AI techniques to automatically analyze employee ...

Customer Experience
  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

  • customer insight (consumer insight)

    Customer insight, also known as consumer insight, is the understanding and interpretation of customer data, behaviors and ...

  • buyer persona

    A buyer persona is a composite representation of a specific type of customer in a market segment.

Close