Description
Microsoft officially disclosed that it is investigating two zero-day security vulnerabilities affecting Exchange Server 2013, 2016 and 2019. The company has released mitigations for the two new Microsoft Exchange zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082.
Summary
The first vulnerability, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, CVE-2022-41082, allows remote code execution (RCE) when the attacker has access to PowerShell. In a new analysis, the Microsoft Threat Intelligence Center (MSTIC) stated that these attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft stated that while these vulnerabilities necessitate authentication, the authentication required for exploitation can be that of a standard user. Standard user credentials can be obtained through a variety of attacks, such as password spraying or purchase through the cybercriminal economy. Microsoft also stated that it is working on an “accelerated timeline” to fix the flaws.
Remediation
Microsoft provided mitigations for on-premises servers as well as a strong recommendation for Exchange Server customers to “disable remote PowerShell access for non-admin users” within the organization. Microsoft also proposed blocking known attack patterns via an IIS Manager rule to reduce the risk of exploitation. Administrators can also update the Exchange On-premises Mitigation Tool, which is a script that requires PowerShell 3 or later, admin privileges and IIS 7.5 or newer. However, the rule proposed by Microsoft covers only known attacks, so the URL pattern is limited to them.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Microsoft Exchange server zero-day mitigation is circumvented.pdf
References
Ilascu, I. (2022, October 4). Microsoft Exchange server zero-day mitigation can be bypassed. Retrieved from BleepingComputer.
https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/
Lakshmanan, R. (2022, October 2). State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations. Retrieved from The Hacker News
https://thehackernews.com/2022/10/state-sponsored-hackers-likely.html
McCafferty, K. (2022, October 4). Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082. Retrieved from Microsoft Security Blog
https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/