Security researchers are warning of antecedently covert flaws in totally patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to realize remote code execution on affected systems.
The 1st vulnerability, known as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, whereas the second, identified as CVE-2022-41082, permits remote code execution (RCE) once PowerShell is accessible to the assailant. These 2 zero-days are currently impacting exchange server 2013, 2016 & 2019. Note that, exchange online customers are not affected by this.
Microsoft is currently aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 could allow an authenticated attacker to remotely activate CVE-2022-41082. It should be noted that to successfully exploit any of the vulnerabilities, authenticated access to the vulnerable Exchange server is required.
The two vulnerabilities were collectively named ProxyNotShell due to the fact that “it’s the same path and SSRF/RCE pair” as ProxyShell but with authentication, indicating an incomplete patch. The vulnerabilities were first discovered through Vietnamese cybersecurity organization GTSC as a part of its incident reaction efforts for a purchaser in August 2022. A Chinese risk actor is suspected to be at the back of the intrusions.
Microsoft stated that it is running on an “extended timeline” to launch a restore for the shortcomings. It has also posted a script for the subsequent URL Rewrite mitigation steps. You can follow these simple steps as workaround for now: Details are also mentioned in the Microsoft blog page you can find here:
- Open IIS Manager
- Select Default Web Site
- In the Feature View, click URL Rewrite
- In the Actions pane on the right-hand side, click Add Rule(s)…
- Select Request Blocking and click OK
- Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes)
- Select Regular Expression under Using
- Select Abort Request under How to block and then click OK
- Expand the rule and select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions.
- Change the Condition input from {URL} to {REQUEST_URI}
As further hindrance measures, the corporate is urging corporations to enforce multi-factor authentication (MFA), disable legacy authentication, and educate users about not accepting unexpected two-factor authentication (2FA) prompts.
U.S Cybersecurity and Infrastructure Security Agency (CISA) added the two zero-day Microsoft Exchange Vulnerabilities to its known Exploited Vulnerabilities catalog and requiring all federal agencies to apply the patches by October 21, 2022. Organizations should identify their critical exchange assets and apply appropriate workarounds immediately until Microsoft releases a patch in the coming days.