Sedara Security Bulletin: Zero-Day Microsoft Exchange Vulnerabilities

What Happened?

On September 29, Vietnamese security group GTSC released a blog identifying two zero-day security vulnerabilities, CVE-2022-41040 and CVE-2022-41082. Used together, these vulnerabilities could give an attacker the ability to perform remote code execution (RCE) on affected Microsoft Exchange servers. Microsoft has confirmed that the vulnerabilities are being exploited in attacks in the wild.

How Do These Vulnerabilities Work?

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that has some similarities to the ProxyShell collection of vulnerabilities, while CVE-2022-41082 allows for remote code execution. In the wild, these two vulnerabilities are being exploited in combination to grant remote code execution on Microsoft Exchange servers.

Am I At Risk?

CVE-2022-41040 can be exploited only if the attacker is already authenticated. Exploitation then allows the attacker to trigger the CVE-2022-41082 remote code execution vulnerability.

These vulnerabilities apply if:

• You use on-premises Microsoft Exchange Server 2013, 2016, and 2019 with an Outlook Web App. Office365/Exchange Online customers are not at risk.
• The attacker must be authenticated to exploit CVE-2022-41040 (any non-admin email credentials will suffice).
• Remote Powershell must be accessible to the attacker to exploit CVE-2022-41082.

Detection:

If your organization fits this profile, administrators who want to check for the compromise can run the following PowerShell command to scan IIS logs for indicators:

Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’

In addition, Microsoft provides some tools on their blog post (link shared below) that may help detect web shells and post-exploitation activity in general.

Mitigation:

Microsoft and GTSC have outlined steps organizations can take to temporarily mitigate the risk of this vulnerability until Microsoft releases a fix. The steps are included in the Microsoft, and GTSC links shared below.

• The current recommended mitigation for CVE-2022-41040 is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
• The recommended mitigation for CVE-2022-41082 is to block Remote Powershell ports 5985 and 5986 on the Exchange Server.

Microsoft says it is “working on an accelerated timeline to release a fix.”

Want More Technical Details?

Microsoft Customer Guidance for Reported Zero-Day Vulnerabilities in Microsoft Exchange Server: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

GTSC’s blog post, including containment measures: https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

Want Help With a Security Incident?

Sedara can help your organization assess and address vulnerabilities and provide insight that prevents future incidents.

Get Future Compromise Alerts – Join Sedara Declassified

Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do. And of course, if we can help you with anything directly, feel free to reach out.