Conscia ThreatInsights
New 0-day vulnerabilities in Microsoft Exchange Server actively exploited

Two reported 0-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019 (on-prem) tracked as CVE-2022-41040 and CVE-2022-41082 are being actively exploited in the wild. Conscia Threat Intelligence experts explain how critical these are and how to mitigate them.

How to mitigate Microsoft Exchange Server 0-day vulnerabilities CVE-2022-41040 and CVE-2022-41082

On 29th September 2022, Microsoft published new Customer Guidance for two reported 0-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019 (only on-premises deployments). Tracked as CVE-2022-41040 Server-Side Request Forgery (SSRF) and CVE-2022-41082 Remote Code Execution (RCE), both vulnerabilities are being actively exploited in the wild. Microsoft confirmed that SSRF can only be exploited by authenticated attackers – only then is it possible to exploit the RCE vulnerability.

Upon publishing this article, we already found one public report of a successful cyber-attack based on these vulnerabilities by the Chinese Threat Actor group that deployed Chinese Chopper web shells for persistence and data theft and to move laterally through victims’ networks.

Vulnerabilities only affect on-premises deployments, while Microsoft Exchange Online customers do not need to take any action.

Who is affected, and how do they work

Two 0-day vulnerabilities are tracked as:

  • CVE-2022-41040 (Server-Side Request Forgery)
  • CVE-2022-41082 (Remote Code Execution)

 The SSRF can only be exploited by authenticated attackers and is a prerequisite for successful exploitation of RCE vulnerability. The SSRF vulnerability is exploited similarly to those used in attacks targeting the ProxyShell vulnerabilities.

The exploit works in two stages:

  • Requests with a similar format to the ProxyShell vulnerability: autodiscover/[email protected]/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%[email protected].
  • The use of the link above to access a component in the backend where the RCE could be implemented.

The vulnerabilities affect on-premises deployments of Microsoft Exchange Server 2013, 2016, and 2019.

Conscia Cyberdefense Guidelines

We currently recommend our customers to follow the mitigations suggested by Microsoft in their Customer guidance report.

Microsoft Exchange Online Customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.

Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, successfully break current attack chains.

  1. Open the IIS Manager.
  2. Expand the Default Web Site.
  3. Select Autodiscover.
  4. In the Feature View, click URL Rewrite.
  5. In the Actions pane on the right-hand side, click Add Rules.
  6. Select ‘Request Blocking’ and click ‘OK.’
  7. Add String “(?=.*autodiscover)(?=.*powershell)” (excluding quotes) and click ‘OK’. *
  8. Expand the rule and select the rule with the Pattern “(?=.*autodiscover)(?=.*powershell)” and click ‘Edit’ under ‘Conditions.’
  9. Change the condition input from {URL} to {REQUEST_URL}

*[04.10.2022] UPDATE: According to further analysis, the ‘@’ sign in the 7th step proved to be too specific for the known attacks. Removing it should make the rule more prone to other attacks. However, we at Conscia have not been able to test it yet whether it would have any implications on normal operations.

*[05.10.2022] UPDATE: Removed the ‘@’ sign in the 7th step.

*[09.10.2022] UPDATE: Updated the strings inside the rule, based on Microsoft’s update.

NOTE: For complete up to date guidelines refer to Microsoft’s official Customer Guidance report as they might be updating the article throughout the time. Refer to the URL provided above.

There is no known impact on Exchange functionality if the URL Rewrite module is installed as recommended.

Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.

  • HTTP: 5985
  • HTTPS: 5986

 

Microsoft also provided recently two other options on how to apply these mitigations:

  1. Using Exchange Emergency Mitigation Service
  2. Using provided PowerShell Script

Please refer to their guidance page to learn more about these methods.

 

Patch Available

On November 8th 2022, during their regular Patch Tuseday, Microsoft released the security patch that fixes the zero-days. We advise anyone vulnerable to the mentioned CVEs to immediately patch their servers as we still continue to see ProxyNotShell exploitations in the wild. The attacks spiked after the public release of Proof-of-Concept exploit code and still linger.

Need assistance?

If you have further questions or need assistance with your risk assessment, security strategy, or deployment of countermeasures, please contact your closest Conscia office, and our experts will be glad to answer your questions.

Contact
Contact us now