Browse Definitions :

Getty Images/iStockphoto

ProxyShell vs. ProxyLogon: What's the difference?

ProxyShell and ProxyLogon both affect Microsoft Exchange Servers, but they work in different ways.

ProxyShell and ProxyLogon are both exploits against on-premises Microsoft Exchange Servers, discovered in 2021. Both vulnerabilities enable threat actors to perform remote code execution on vulnerable systems.

Any organization that has not patched its Exchange Servers since July 2021 may be susceptible to an attack.

It is important to understand how each type of attack works. Here are their similarities and differences:

ProxyLogon

Orange Tsai, principal security researcher at Devcore, is credited with discovering the ProxyLogon exploit. He described it as possibly being the most severe vulnerability in the history of Microsoft Exchange.

ProxyLogon is the name that was given to Microsoft vulnerability number CVE-2021-26855. The ProxyLogon attack can be used against unpatched mail servers running Microsoft Exchange Server 2013, 2016 or 2019 that are set up to receive untrusted connections from the outside world. This enables threat actors to execute commands on unpatched, on-premises Exchange Servers by sending commands across Port 443. ProxyLogon is known as a pre-authenticated vulnerability. This means an attacker does not need to log on or complete any sort of authentication process to execute code remotely.

Read more here about port numbers.

The best thing that organizations can do to protect themselves against this exploit is keep their systems updated with the latest patches. They should also avoid making Exchange Server directly accessible from the internet.

ProxyShell

The ProxyShell exploit was discovered more recently than ProxyLogon. ProxyShell is an attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

Although ProxyShell is a completely different exploit than ProxyLogon, many security researchers consider ProxyLogon to be the genesis of ProxyShell. ProxyLogon acted as something of a proof of concept that eventually led to the creation of ProxyShell.

ProxyShell targets on-premises Exchange Servers running Exchange Server 2013, 2016 or 2019. The threat specifically targets Exchange Client Access Servers -- or CAS servers, as Microsoft often calls them. Microsoft initially introduced CAS servers as front-end servers to protect Exchange mailbox servers.

The idea was that placing mailbox servers behind one or more client access servers kept mailbox servers from being directly accessible from the internet. But the ProxyShell exploit takes advantage of vulnerabilities that exist within Client Access Servers, using them as a tool to remotely execute code on the CAS servers. Some attackers also use the ProxyShell exploit to plant ransomware on vulnerable systems.

Kevin Beaumont, senior threat intelligence analyst at Microsoft, described the ProxyShell vulnerabilities as being worse than ProxyLogon. He said they are more exploitable because most organizations haven't patched, and some threat actors who are exploiting the ProxyShell vulnerabilities are using them as a tool for planting and executing LockFile ransomware.

Attackers know that most Microsoft Exchange Client Access Servers are accessible from the internet. They also know that client access servers are accessible over TCP Port 443. This makes it easy for threat actors to connect to a CAS server and run some simple tests to see if the server is vulnerable to the ProxyShell exploits.

The best defense against ProxyShell is to make sure that Exchange Servers are up to date with the latest Microsoft security patches. Although ProxyShell specifically targets client access servers, it is equally important to keep mailbox servers up to date with the latest patches.

Dig Deeper on Microsoft

Networking
  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

  • private 5G

    Private 5G is a wireless network technology that delivers 5G cellular connectivity for private network use cases.

  • NFVi (network functions virtualization infrastructure)

    NFVi (network functions virtualization infrastructure) encompasses all of the networking hardware and software needed to support ...

Security
  • virus (computer virus)

    A computer virus is a type of malware that attaches itself to a program or file. A virus can replicate and spread across an ...

  • Certified Information Security Manager (CISM)

    Certified Information Security Manager (CISM) is an advanced certification that indicates that an individual possesses the ...

  • cryptography

    Cryptography is a method of protecting information and communications using codes, so that only those for whom the information is...

CIO
  • IT project management

    IT project management is the process of planning, organizing and delineating responsibility for the completion of an ...

  • chief financial officer (CFO)

    A chief financial officer (CFO) is the corporate title for the person responsible for managing a company's financial operations ...

  • chief strategy officer (CSO)

    A chief strategy officer (CSO) is a C-level executive charged with helping formulate, facilitate and communicate an ...

HRSoftware
Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

Close