top of page
hpopejoy7

Microsoft Exchange Server Zero-Day Vulnerabilities

Updated: May 20

Background


Microsoft recently disclosed two zero-day vulnerabilities that affect Microsoft Exchange servers 2013, 2016, and 2019 (CVE-2022-41040 and CVE-2022-41082). Currently, there is no patch for these vulnerabilities, and they have actively been exploited. The newly disclosed Exchange vulnerabilities are similar to the ProxyShell exploit, which can result in remote code execution via Powershell.


Early reports indicate that ChinaChopper is being deployed following successful exploitation. Kivu observed similar attack chains last year, which led to full ransomware events.


Microsoft has released information on two new zero days affecting on-premises Microsoft Exchange servers.


  • To exploit these vulnerabilities, a user must have authenticated access to the vulnerable Exchange Server to use CVE-2022-41040 to remotely trigger CVE-2022-41082.

  • CVE-2022-41040 – Server-Side Request Forgery (SSRF) vulnerability. This results from improper validation of user-supplied input within the Exchange OWA interface. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct an SSRF attack.  SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.  Zero Day Initiative website:  ZDI-CAN-18333 (CVSS score: 8.8)

  • CVE-2022-41082 – allows remote code execution (RCE) when PowerShell is accessible to the attacker. RCE is a type of security vulnerability that allows attackers to run arbitrary code on a remote machine.  Zero Day Initiative website:  ZDI-CAN-18802 (CVSS score: 6.3)

  • These two CVEs reference vulnerabilities for Microsoft Exchange Server 2013, 2016, and 2019.

  • The two zero-days are chained to deploy “Chinese Chopper” web shells for persistence and data theft and to move laterally through the victim’s networks.

  • Microsoft advises that Microsoft Exchange Online is not affected.

How Do Organizations Determine If Their Exchange Server Is Vulnerable?


To determine if your Exchange Server is vulnerable, Microsoft recommends running this PowerShell command:

  • Run this PowerShell command to scan IIS log files for Indicators of Compromise (IOC): Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’

  • It’s important to check for exploit requests in IIS logs with the same format as the ProxyShell vulnerability. Please keep in mind, webshells could be obfuscated.

How Do Organizations Mitigate These Vulnerabilities?


Microsoft Security Response Center – Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server


October 5, 2022 updates:

  • Exchange Server customers should complete both the URL Rewrite rule mitigation for CVE-2022-41040 and the Disable remote PowerShell for non-admins mitigation for CVE-2022-41082 described below.

October 4, 2022 updates:

  • Important updates have been made to the Mitigations section improving the URL Rewrite rule. Customers should review the Mitigations section and apply one of these updated mitigation options:

  • Option 1: The EEMS rule is updated and is automatically applied.

  • Option 2: The previously provided EOMTv2 script has been updated to include the URL Rewrite improvement.

  • Option 3: The URL Rewrite rule instructions have been updated. Step 6 and step 9 listed below have been revised.

September 30, 2022 updates: 

  • Microsoft released a step-by-step procedure to mitigate the risk of exploitation for the Exchange zero-day vulnerabilities, which include the following:

  1. Open the IIS Manager.

  2. Select Default Web Site.

  3. In the Feature View, click URL Rewrite.

  4. In the Actions pane on the right-hand side, click Add Rule(s)…

  5. Select Request Blocking and click OK.

  6. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.

  7. Select Regular Expression under Using.

  8. Select Abort Request under How to block and then click OK.

  9. Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions.

  10. Change the Condition input from {URL} to {REQUEST_URI}

  • Microsoft also recommends customers block the following Remote PowerShell ports:

  • HTTP: 5985

  • HTTPS: 5986

  • Customers should disable remote PowerShell access for non-admin users in the organization.

  • Video: https://com/watch?v=JQtW9xd5-Hw…

  • Please note, the workaround does not fully mitigate the vulnerability.

Please keep in mind that these are mitigation steps developed by Microsoft, but these steps will not completely remediate the vulnerabilities.  Kivu continues to track these vulnerabilities and will provide more guidance as it becomes available.


Recommendations


  • The Exchange On-premises Mitigation Tool v2 script (EOMTv2.ps1) can be used to mitigate CVE-2022-41040. This script does the following:

  • Check for the latest version of EOMTv2.ps1 and download it.

  • Mitigate against current known attacks using CVE-2022-41040 via a URL Rewrite configuration. The steps are listed above.

  • Use of the Exchange On-premises Mitigation Tool v2 is subject to the terms of the Microsoft Privacy Statement: https://aka.ms/privacy

  • Use of monitored Endpoint Detection and Response tools to block unwanted activity on the Exchange server and throughout the entire environment.Should these Exchange vulnerabilities be successfully exploited, EDR can detect and mitigate malicious activity within the environment to stop further damage. Kivu provides 24/7 endpoint monitoring services which assists our clients with protecting their systems. Contact us today for a free consultation.

Sources




11 views0 comments

Recent Posts

See All

Kivu Threat Intel - Fog Ransomware

NEW RANSOMWARE VARIANT FOG LINKED TO AKIRA Key Takeaways Fog first emerged in April 2024 Links to Akira affiliate through infrastructure...

Comments


bottom of page