On 2021-03-10 at 08:36 +0000, Hans-Martin Mosner via mailop wrote: > > Hello, > > does anyone have a pointer to technical details about the recently > surfaced Exchange vulnerabilities? I would specifically be interested > whether the exploit(s) depends on the server being exposed to the > internet directly and would thus not be too critical if there's a > Postfix internet mail gateway in front of it. > > Of course, applying the available fixes should not be delayed, but > the priority of activities could be better evaluated if it were known > that the risk of a compromise is low due to such a configuration. > > Cheers, > Hans-Martin
Hello Hans-Martin Many things that have been written about it. Some people reversed the patches, other the exploits. The vulnerability itself had been discovered by Devcore and in process of being fixed by Microsoft when Volexity found it as being exploited in the wild, so it seems an instance of parallel discovery. See for instance https://www.praetorian.com/blog/reproducing-proxylogon-exploit/ As for your actual question, no. The vulnerabilities used were in the HTTP interface used for OWA, EWS, etc. A server that exposed SMTP and IMAP but not HTTP/HTTPS shouldn't have been exposed. On the other hand, those who *had* an Exchange server published on the internet should probably consider it compromised by now. There are multiple groups exploiting it (in addition to whitehat scans), dropping webshells, etc. Note that: * The bug is in a proxy layer, so there are multiple filenames (even non-existing) that can be used for the attack * Some webshells are dropped with predictable names * ...others have random names * Even if you don't find any webshell on manual inspection, it doesn't mean none was added. Updating Exchange from an old version may inadvertently remove, as it removes entire folders before recreating them. You may want to make a copy before for inspection. * On a default install Exchange is able to create golden tickets, thus a compromised Exchange may lead to a compromised Active Directory It may be a good time for everyone to review your contingency plans and see the effort that would be needed if you had been compromised by this and needed rebuild the whole Exchange and restore from backups. Best regards PS: Don't forget about the vulnerability on Microsoft DNS server either. There are many dcs published on the internet as well. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
