Ref# AL2023_02 | Date: Jan 5th 2023

---

Description 

Exchange Servers are affected by security flaws known as ProxyNotShell (tracked as – CVE-2022-41082 and CVE-2022-41040). Attackers on compromised servers can escalate privileges and obtain arbitrary or remote code execution if the exploit is successful. 

Summary    

A combination of Exchange Server zero-day vulnerabilities known as ProxyNotShell were linked together by threat actors in a series of focused assaults after being initially publicly revealed in September. The first vulnerability, CVE-2022-41040, affects server-side request forgery, while the second, CVE-2022-41082, affects remote code execution. The phrase “ProxyNotShell” refers to the now-famous ProxyShell set of security issues made public in 2021.  

However, CrowdStrike revealed that a fresh attack chain known as “OWASSRF” got beyond Microsoft”s URL Rewrite mitigations. OWASSRF, which combines the ProxyNotShell problem (CVE-2022-41082) and the elevation of privilege flaw (CVE-2022-41080), has recently been exploited in several Play ransomware attacks. 

A cybersecurity non-profit called Shadowserver has been looking for IP addresses with Microsoft Exchange Server instances that are probably CVE-2022-41082 susceptible. However, on December 21, the day following the publication of CrowdStrike”s study, Shadowserver discovered 83,946 susceptible IP addresses. That number fell to 60,865 as of January 2. 

Remediation   

Applying Microsoft”s ProxyNotShell updates is necessary to protect your Exchange servers from incoming attacks. Although Microsoft offered mitigation strategies, attackers can still get around these. Only servers that have been fully patched are safe from attack. This issue was fixed in December 2022 Patch Tuesday which can be found at the following URL: 
https://msrc.microsoft.com/update-guide/releaseNote/2022-Dec  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Many Exchange servers are still prone to ProxyNotShell attacks.pdf

References   

• Culafi, A. (2023, January 3). Many Exchange servers still vulnerable to ProxyNotShell flaw. Retrieved from TechTarget. 
  https://www.techtarget.com/searchsecurity/news/252528809/Many-Exchange-servers-still-vulnerable-to-ProxyNotShell-flaw 

• Gatlan, S. (2023, January 3). Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks. Retrieved from BleepingComputer. 
  https://www.bleepingcomputer.com/news/security/over-60-000-exchange-servers-vulnerable-to-proxynotshell-attacks/