Two new Microsoft Exchange zero-day vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have mitigations released by Microsoft, although experts caution that the mitigation for on-premise systems is insufficient.
Both of these zero-day issues are already being combined by threat actors in ongoing campaigns to compromise Microsoft Exchange servers and accomplish remote code execution.
The Vietnamese cybersecurity firm GTSC revealed both security weaknesses through the Zero Day Initiative programme roughly three weeks ago, and last week made the information available to the general public.
Too specific mitigation
On Friday, Microsoft acknowledged the two problems and stated they were “aware of limited targeted assaults” that exploited them.
Microsoft offered mitigations for on-premise systems as part of an advisory, and Exchange Server customers were strongly advised to “limit remote PowerShell access for non-admin users” within the company.
Microsoft suggested using a rule in the IIS Manager to restrict the known attack patterns in order to lower the chance of exploitation:
Activate the IIS Manager.
Choose the default web address.
Clink URL Rewrite in the Feature View.
Click “Add Rules” in the Actions pane on the right.
Click OK after selecting Request Blocking.
Click OK after adding the text “.autodiscover.json.*@.*Powershell.” without quotation marks.
Click Edit under Conditions after expanding the rule and choosing the rule with the pattern “autodiscover.json.*@.*Powershell.”
Change the Condition input to REQUEST URI from URL.
Microsoft’s revised Exchange On-premises Mitigation Tool, a script that needs PowerShell 3 or later, needs to be run with admin credentials, and runs on IIS 7.5 or newer, can help administrators achieve the same outcome.
However, the URL pattern is only applicable to known attacks under the criteria Microsoft recommends.
In a tweet posted today, security researcher Jang demonstrates that Microsoft’s temporary fix for thwarting the use of CVE-2022-41040 and CVE-2022-41082 is ineffective and easily circumvented.
According to Will Dormann, a senior vulnerability analyst at ANALYGENCE, the ‘@’ in Microsoft’s URL block “looks too precise, and consequently insufficient.” He concurs with the conclusion.
Researchers at GTSC verified in a video today that Microsoft’s mitigation is insufficiently protective after testing Jang’s discovery.
Jang offered a less specific substitute for the URL block proposed by Microsoft that would cover a larger range of attacks:
.*autodiscover\.json.*Powershell.*
Risky hybrid installations
Microsoft states in their advisories for the two vulnerabilities that Exchange Online clients do not need to take any action and that the mitigation instructions only apply to users of on-premise Exchange Server.
However, many enterprises combine on-premises deployment of Microsoft Exchange with cloud deployment, and they should be aware that this makes them vulnerable as well.
Security expert Kevin Beaumont warns in a video posted today that the corporation is vulnerable as long as Exchange Server is installed on-premise.
A hybrid Exchange arrangement is “very typical” in enterprise environments, according to Beaumont, who refers to the attack chain as ProxyNotShell, and these environments should take into account the level of risk they are exposed to.
Over 1,200 of these organisations make their hybrid deployments accessible to the public online. They include organisations in the government, education, and financial sectors—all extremely desirable targets for hackers conducting espionage or extortion operations.
A fix is still to arrive
Microsoft has not yet provided an update to address the two problems as of the time of publication, but it has released security warnings that describe the impact and the prerequisites for exploitation.
According to Microsoft, CVE-2022-41040 is a high-risk (8.8/10 severity level) vulnerability that a hacker can simply exploit to gain further access to the vulnerable machine without the user’s knowledge.
Because the threat actor needs to be verified, this security issue’s severity rating is not higher.
Although CVE-2022-41082 has the same high severity rating, it can be exploited remotely by an attacker with “privileges that allow basic user capabilities” on unsecured on-premise Microsoft Exchange Servers (settings and files owned by the user).
[October 3, 2022, 17:06 EST] Update:Having a hybrid Microsoft Exchange system would protect some firms from attacks, however Kevin Beaumont has clarified this in the article.
