Alert: New Zero-Day Vulnerability Targets Microsoft On-Premise and Hybrid Cloud Exchange Servers

Summary:

In early August, researchers from the cybersecurity vendor GTSC discovered cyberattacks against critical infrastructure using two unpublished Exchange Server security vulnerabilities.

Microsoft’s Security Research Center (MSRC) stated: “The first exploit identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. “ Both CVEs have high severity scores of 8.8 out of 10.

MSRC went on to say: “In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.”

At the time of writing, Microsoft is aware of limited targeted attacks using these two vulnerabilities.

Mitigation:

On October 4th, Microsoft announced an updated advisory with the improved URL Rewrite rule, recommending customers review, and use one of the following options:

Option 1: The EEMS rule is updated and is automatically applied.

Option 2: The previously provided EOMTv2 script has been updated to include the URL Rewrite improvement.

Option 3: Manually delete the previously created rule and add the improved one by following the instructions below:

• Open IIS Manager
• Select Default Web Site
• In the Feature View, click URL Rewrite
• In the Actions pane on the right-hand side, click Add Rule(s)…
• Select Request Blocking and click OK
• Add the string “.*autodiscover\.json.*Powershell.*” (excluding quotes).
• Select Regular Expression under Using.
• Select Abort Request under How to block and then click OK.
• Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions. 
• Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}}

Further, Microsoft recommends disabling remote PowerShell access for non-admin users.

Timeline:

October 6, 2022 updates:
An updated version released for EOMTv2 to remove an extra space in the script that didn’t impact functionality.

October 5, 2022 updates:
Further improvement has been made to the URL Rewrite rule mitigation. Customers should review and use one of these options:

• Option 1: The mitigation for EEMS rule has been updated and the updates will be applied automatically.
• Option 2: The mitigation for EOMTv2 has been updated.
• Option 3: The instructions and image in step 10 are updated for a Condition input change.

Added under Mitigations section that Exchange Server customers should complete both recommended mitigations.

October 4, 2022 updates:
Important updates have been made to the Mitigations section improving the URL Rewrite rule. Customers should review and use one of these options:

• Option 1: The EEMS rule is updated and is automatically applied.
• Option 2: The previously provided EOMTv2 script has been updated to include the URL Rewrite improvement.
• Option 3: The URL Rewrite rule instructions have been updated. The string in step 6 and step 9 has been revised. Steps 8, 9, and 10 have updated images.

October 2, 2022 updates:

• Added to the Mitigations section: we strongly recommend Exchange Server customers disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is here.  
• Updated Detection section to refer to Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.

September 30, 2022 updates:

• Added link to Microsoft Security blog in Summary.
• Microsoft created a script for the URL Rewrite mitigation steps and modified step 6 in the Mitigations section.
• Microsoft released the Exchange Emergency Mitigation Service (EEMS) mitigation for this issue. More information is in the Mitigations section. 

Reach out to Messageware to improve Microsoft Exchange Server Security

If you are not protecting all the protocols used by your Exchange Server, you’re putting your company at a higher risk of a data breach.

Security incidents happen frequently. They cause disruption, loss of data and potentially risk the reputation of your company. However, if you implement these steps, you’re doing more than most other companies.

Have you heard about Messageware’s EPG that offers advanced Exchange Server security to protect organizations from a variety of logon and password attacks, as well as extensive real-time reporting and alerts of suspicious logon activity? Click here to learn more.