ProxyRelay Vulnerability

This week, on the 19th of October 2022, Devcore published a blog on the fourth vulnerability called ProxyRelay. The blog can be found here: https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/

The blog describes four vulnerabilities. Currently, there are no reports on exploitation of ProxyRelay in the wild. However, with the details provided by the blog, it is likely that exploits will be developed.

ProxyRelay consists of multiple vulnerabilities and could better be classified as an attack surface than a single bug. Based on the current insights, it is possible to bypass authentication, access data (like emails) and execute code without user-interaction.

Currently, there are no reports on exploitation of ProxyRelay in the wild and exploitation on short term is not expected. Although, this might change based on the details published in the blog by Devcore.

ProxyRelay consist of four vulnerabilities, three of which are currently registered as a CVE:

• CVE-2021-33768 – Relay to Exchange FrontEnd
• CVE-2022-21979 – Relay to Exchange BackEnd
• CVE-2021-26414 – Relay to Exchange DCOM
• CVE-2022-RESERVED – Relay to other services of Exchange

CVE	CVE published	CVE Last modified	CVSS V3 score	EPSS Score	EPSS Percentile
CVE-2021-26414	2021-06-08	2022-09-12	6.5	0.02844	0.82629
CVE-2021-33768	2021-07-14	2022-05-03	8	0.0115	0.5942
CVE-2022-21979	2022-08-09	2022-09-22	5.7

Table 1 – CVE details information on the 19th of October 2022

Based on the current CVSS and EPSS scores, the vulnerabilities on themselves do not seem critical. However, it is the combination of the vulnerabilities and the ProxyRelay attack surface that contains the real threat. That is why Devcore reported the vulnerability in June 2021 to Microsoft and published their blog more than a year later.

Microsoft released security patches as part of the Exchange August 2022 Security Updates for the following versions of Microsoft Exchange Server:

• Microsoft Exchange Server 2013 CU23
• Microsoft Exchange Server 2016 CU22 and CU23
• Microsoft Exchange Server 2019 CU11 and CU12

Additionally, it is advised to apply the Cumulative Security Updates for Microsoft Windows of the Microsoft Exchange Server of at least June 2022.

Although the upgrade of an Exchange Server can be a challenge, it is highly recommended to apply the patches. While there are no reports of Exploitation in the wild, it is likely exploit methods will be developed after publication of ProxyRelay details.

More information:

• August 2022 Exchange Server Security Updates – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/359386
• ProxyRelay blog by Devcore- https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/
• ProxyShell blog by Devcore – https://devco.re/blog/2021/08/22/a-new-attack-surface-on-MS-exchange-part-3-ProxyShell/
• ProxyOracle blog by Devcore – https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/
• ProxyLogon blog by Devcore – https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/
• Microsoft Advisory CVE-2021-33768 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768
• Microsoft Advisory CVE-2022-21979 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21979
• Microsoft Advisory CVE-2021-26414 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414