Flash Report: Microsoft Exchange Zero-Day Vulnerabilities
ZeroFox Intelligence has observed two zero-day vulnerabilities that affect Microsoft Exchange Server versions 2013, 2016, and 2019 and has released the following information as of September 30, 2022.
Key Findings
- Two zero-day vulnerabilities were identified that affect Microsoft Exchange Server versions 2013, 2016, and 2019. On-premises Exchange customers are impacted, and possibly those operating hybrid server environments as well.
- Active exploitation in the wild has been identified.
- Workarounds are available, and Microsoft encourages users to enact URL rewrite instructions and block exposed Remote PowerShell ports.
Analyst Commentary
On September 29, 2022, Microsoft confirmed two zero-day vulnerabilities–tracked as CVE-2022-41040 and CVE-2022-41082–affecting its Exchange Server, versions 2013, 2016, and 2019.1 Multiple sources disclosed the vulnerabilities, and state that the vulnerabilities are being actively exploited in the wild.2 3 While Microsoft has advised that only on-premises Exchange customers are impacted and that customers with Exchange Online do not need to take any action, customers that operate a hybrid server could be impacted.
CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger CVE-2022-41082, a remote code execution (RCE) vulnerability that can be executed by threat actors that have access to PowerShell. From there, threat actors can establish persistence, exfiltrate data, or move laterally across compromised networks. Microsoft states that threat actors must have authenticated access to exploit either vulnerability.
The exploit chain follows a similar path to the April 2021 Microsoft Exchange ProxyShell vulnerabilities, indicating the possibility that patches deployed in 2021 did not fully fix the issues.
Recommendations
Microsoft shared instructions for an official workaround through the Microsoft Security Response Center (MSRC) website on September 29, 2022. There is no patch currently available. Microsoft encourages users to review and enact URL rewrite instructions and block exposed Remote PowerShell ports (HTTP: 5985 and HTTPS: 5986). Rewrite instructions are as follows:
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
It is advised that admins scan their network for indicators of compromise by running the following PowerShell command4:
- Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
1 hXXps://msrc-blog.microsoft[.]com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
2 hXXps://www.gteltsc[.]vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
3 hXXps://twitter[.]com/GossiTheDog/status/1575762721353916417
4 hXXps://www.gteltsc[.]vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
Tags: Breaches, Flash Report, Threat Intelligence, Vulnerability