Critical Vulnerability Alert

21 October 2022
l

TLP: AMBER
No third party distribution

Exchange Server ProxyRelay Attack (CVE-2021-33768, CVE-2022-

21979, CVE-2021-26414, and more)

Introduction

On 19 Oct 2022, a security researcher reported a new set of Exchange Server flaws that would allow
attackers to bypass authentication or achieve code execution without user interaction. 1 The
vulnerabilities leverage properties of various protocols and architectural designs which Exchange
Server authenticates the identities of the users.

At the time of writing, there is no observed exploitation by threat actors, though the previous
vulnerabilities reported by the same security researcher – including ProxyShell and ProxyLogon – were
exploited by various espionage groups in the past.2, 3 PwC’s Dark Lab posits that similar threat actors
will have the intent and capability to weaponise and conduct ProxyRelay attacks in the future, and will
continue monitoring the situation as well as providing updates as soon as possible.

PwC’s Dark Lab summarises the known information regarding this vulnerability below:

CVE-2021-33768 (Attacks against Microsoft Exchange Front end)

CVE-2022-21979 (Attacks against Microsoft Exchange Back end)
CVE(s)
CVE-2021-26414 (Attacks leveraging Window DCOM)
CVE-2022-RESERVED (Other Services in Exchange Server)
CVE-2021-33768:28 May 20214
CVE Published Date CVE-2022-21979:9 August 20225
CVE-2021-26414:29 January 20216
CVE-2021-33768:8.07
CVSS v3 CVE-2022-21979:5.78
CVE-2021-26414:6.59
Affected Products Microsoft Exchange Servers
The front end, back end, Window DCOM and services running in the
Description Exchange server that are using NTLM as the authentication method
will all be susceptible to the attack.10

1
https://blog.orange.tw/2022/10/proxyrelay-a-new-attack-surface-on-ms-exchange-part-4.html
2
https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/
3
https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33768
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21979
6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26414
7
https://nvd.nist.gov/vuln/detail/CVE-2021-33768
8
https://nvd.nist.gov/vuln/detail/CVE-2022-21979
9
https://nvd.nist.gov/vuln/detail/CVE-2021-26414
10
https://blog.orange.tw/2022/10/proxyrelay-a-new-attack-surface-on-ms-exchange-part-4.html
Critical Vulnerability Alert TLP: AMBER

Uncertain at the time of writing. Based on our understanding of similar

vulnerabilities issued – e.g., ProxyShell and ProxyLogon – we
assess with high confidence that threat actors of espionage and
Potential Impact
cybercriminal profiles would have the intent and capability to
weaponise this vulnerability to gain access to the Exchange Servers
and elevate privileges in an Active Directory network.
Proof of Concept (PoC)
Yes – Not Publicly available11
Available
Exploited in the Wild No – for ProxyRelay.
CVE-2021-33768:Yes
CVE-2022-21979:Yes
Patch Available
CVE-2021-26414:Yes
CVE-2022-RESERVED:No
Workaround Available No for all.

Impact and Analysis

A security researcher posted a blog describing four ways to perform relay attacks to target Microsoft
Exchange. These attacks involve triggering an Exchange Server to initiate an NTLM authentication,
which would be relayed to the second Exchange Server.12 The attacks are as follows:
 Frontend – the attacker relays the NTLM authentication to the Frontend of the Exchange Server,
allowing attackers to impersonate any user and potentially takeover their mailbox.
 Backend – the attacker relays the NTLM authentication to the Backend of the Exchange Server
by taking advantage of the regular operation in which the Backend verifies the FrontEnd
requests to validate whether the user is a Machine Account or not. There are several methods
that attackers can use to relay-to-backend interfaces, such as Exchange Web Servers (EWS),
Remote Procedure Call (RPC), and Exchange PowerShell.
 MS-DCOM – the attacker takes advantage of the Windows default group inheritance of
Exchange Servers in Active Directory environments to initiate a connection and relay the NTLM.
 Relay to other services of Exchange – no details at the time, though the security researcher
indicated that services that use NTLM as their authentication method on Exchange Server may
be vulnerable.

Microsoft has released patches for the first three types of attacks, with the exception of the fourth as
there is no CVE assigned. Details are likely available after the Microsoft Security Response Center
(MSRC) has evaluated the security researcher’s disclosure.

We have observed limited discussions on social media, mostly consisting of reposts of the blog from
the researcher. However, there is one thread in dark web that mentioned ProxyRelay and the possible
exploitation method, which shows the intention of identifying and developing a working exploit for the
vulnerable service, despite their current inability to do so.

11
https://www.youtube.com/watch?v=IFRvmo6AZoY
12
https://blog.orange.tw/2022/10/proxyrelay-a-new-attack-surface-on-ms-exchange-part-4.html

Dark Lab Threat Intelligence 2

Critical Vulnerability Alert TLP: AMBER

Image 1 – Dark web discussion related to ProxyRelay

Image 2 – Translate of Dark web discussion related to ProxyRelay

Mitigation

Organisations with Exchange Server are strongly encouraged to implement the available patches for
CVE-2021-33768, CVE-2022-21979 and CVE-2021-26414 to prevent exploitation. Organisations
should continue monitoring for official announcements on the fourth vulnerability, and apply the
appropriate remediation actions as advised by Microsoft.

Conclusion

Although information released by the security researcher is limited, Dark Lab posits with moderate
confidence that this vulnerability will be weaponized within days and greatly targeted as soon as the

Dark Lab Threat Intelligence 3

Critical Vulnerability Alert TLP: AMBER

PoC released by the security researcher. PwC’s Dark Lab will continuously monitor the situation for this
vulnerability and will provide an update as soon as more information if available.

Further information

If you need any further advice or would like PwC’s leading global incident response team to support
you, please do not hesitate to contact us.

This report has been provided to clients as part of PwC’s Dark Lab Cyber-as-a-Service offering. More
detailed analysis on the topics covered in this report can be provided on request.

If you would like more information on any of the threats discussed in this alert please feel free to get in
touch, by emailing [email protected] or [email protected].

Traffic Light Protocol

This report is classified as TLP: AMBER. Recipients may only share TLP: AMBER information with
members of their own organisation who need to know the information to protect themselves or prevent
further harm.

Dark Lab Threat Intelligence 4

Critical Vulnerability Alert TLP: AMBER

This document has been prepared by PricewaterhouseCoopers Limited (PwC) solely for its clients who have entered into a
subscription agreement with PwC for related services (the "subscription") and solely for the purpose and on the terms set out
in the subscription. PwC accepts no liability (including for negligence) to anyone else in connection with this document. It may
only be distributed according to the TLP classification where one is provided, and otherwise it may not be provided to anyone
else.

Dark Lab Threat Intelligence 5