Microsoft Confirms Two Zero Day Exploits of Exchange Server

Exchange Server products are potential subject two newly disclosed "zero-day" vulnerabilities that are under exploit, Microsoft acknowledged, in a Thursday announcement.

The two vulnerabilities are combined as part of remote code execution (RCE) attacks. Microsoft described these common vulnerabilities and exposures (CVEs) as follows:

  • CVE-2022-41040, a Server-Side Request Forgery vulnerability, and
  • CVE-2022-41082, which allows RCE "when PowerShell is accessible to the attacker."

The two vulnerabilities are present in "Microsoft Exchange Server 2013, 2016 and 2019." The attackers require having the credentials of a user to carry out the exploits.

Concerning the Exchange Server vulnerabilities, Microsoft is aware of "limited targeted attacks":

At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

Exchange Online Not Vulnerable?
Microsoft claimed that "Exchange Online customers do not need to take any action," but many organizations using Exchange Online also may be using Exchange Server for administrative purposes, which once had been a requirement.

This notion that Exchange Online users also are vulnerable, too, was highlighted by security researcher Kevin Beaumont, formerly of Microsoft, who dubbed the two vulnerabilities as "ProxyNotShell," in his blog post:

Microsoft say "Microsoft Exchange Online Customers do not need to take any action." This is false -- if you run Exchange hybrid servers, a standard part of Microsoft Exchange Online migration, they are vulnerable. Thousands of orgs present these to the internet, too.

Microsoft had announced back in April that it was dropping the Exchange Server management requirement for Exchange Online users with Cumulative Update 12 for Windows Server 2019. However, Microsoft has also suggested that Exchange Online users "may not want to decommission Exchange Servers from on-premises," too, so it's a murky scenario.

Mitigation Steps for Now
Microsoft offered "mitigation" steps that Exchange Server user can implement to "block known attack patterns," as described in the Thursday announcement.

Mitigation advice also came from security solutions company GTSC, which first blew the whistle on the attacks by describing the zero-day Exchange Server flaws in this post. GTSC speculated that the exploits were being used by a "Chinese attack group."

Microsoft acknowledged that it fixed an early glitch in its mitigation advice, vs. GTSC's advice, in the comments section of this announcement. "MSRC blog post has now been edited to specify 'Regular Expressions' instead of 'Wildcards,'" wrote Nino Bilic of Microsoft. It seemed to be a goof on Microsoft's part.

Microsoft is working on a patch for the security issues, but offered its mitigation steps in the meantime "to help customers protect themselves from these attacks." Microsoft claimed that the mitigation has "no known impact to Exchange functionality if the URL Rewrite module is installed as recommended." It also recommended blocking two ports from using Remote PowerShell.

Microsoft's usual security tools appear to be just able to detect the post-exploitation malware used with these attacks.

Similar to ProxyShell
The exploits apparently follow a similar pattern to ProxyShell attacks of last year, but require authenticated access.

That circumstance led to initial confusion about whether GTSC was actually describing zero-day attacks, although Microsoft has essentially confirmed them as such. Early discussion on the ProxyShell attack similarities was highlighted by Beaumont, who offered this very informative Sept. 30 Twitter thread on the topic.

Beaumont also advised organizations to "stop representing OWA to the internet until there is a patch," presumably referring to the Outlook Web App. This advice isn't mentioned by Microsoft, but it was echoed by Jon Hencinski, vice president of security operations at security solutions company Expel.

After following Microsoft's mitigation advice, organizations should "review your Exchange configuration to determine if Outlook Web App (OWA) is exposed to the internet," Hencinski commented, via e-mail "If it's exposed, determine if it's necessary for any current business needs and evaluate the risk."

Hencinski added that "services like Shodan and Censys can help determine what services are publicly accessible."

Other security researchers, such as Claire Tills, senior research engineer at security solutions firm Tenable, affirmed that the Exchange Server vulnerabilities appear to be "variants of ProxyShell -- a chain of vulnerabilities disclosed in late 2021." Tills offered the following observation, via e-mail:

The key difference is that both these latest vulnerabilities, CVE-2022-41040 and CVE-2022-41082, require authentication where ProxyShell did not. Microsoft has confirmed the vulnerabilities but, at this time, we're still waiting on patches. Once those are available, organizations should deploy them with urgency. Microsoft and GTSC have both offered mitigation guidance for organizations to consider until patches have been released. ProxyShell was and remains one of the most exploited attack chains released in 2021.

Security solutions firm Huntress is posting updated information about the vulnerabilities in this post. "Currently, there are no known proof-of-concept scripts or exploitation tooling available in the wild," wrote John Hammond, senior security researcher at Huntress.

Microsoft hasn't issued patches yet. Organizations running Exchange Server will likely need to be using the latest cumulative updates, though, when those patches arrive.

"It's very likely when MS produces patches for this, they will be only for the latest supported Exchange CUs -- so you probably want to get to those first, otherwise the SU (Security Updates) won't show as applicable," Beaumont wrote in the Twitter thread.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube