Microsoft Exchange Server Zero-day Vulnerabilities (CVE-2022-41040 and CVE-2022-41082) (ProxyNotShell)

Vietnamese cybersecurity outfit GTSC has reported two critical vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 via the Zero-day initiative (ZDI-CAN-18333 and ZDI-CAN-18802). The first flaw (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability. The second flaw (CVE-2022-41082) allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft has mentioned in the advisory that “we are aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.” 
 
Microsoft has mentioned in the advisory that Exchange Online customers do not need to take any actions for this vulnerability. Microsoft has released a workaround for vulnerable on-premises Microsoft Exchange instances. Microsoft has mentioned in the advisory, “We are working on an accelerated timeline to release a fix. Until then, we’re providing the mitigations and detection guidance below to help customers protect themselves from these attacks.” 
 
Description 
The two vulnerabilities are dependent on each other. The exploitation of CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. The customers should know that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. 

Mitigation 
NOTE: Microsoft has patched these vulnerabilities in its Patch Tuesday, November 2022 edition. 
Microsoft has advised its users to apply the patches. The previously released mitigations are no longer recommended.

Evaluating workaround using Qualys Policy Compliance (PC) 
Qualys Policy Compliance customers can evaluate workaround based on the following Controls: 
 
For CVE-2022-41040 and CVE-2022-41082 
24782 Status of the ‘URL Rewrite Instructions’ configured for the site and applications.

For CVE-2022-41082
24802 Disable remote PowerShell access for non-admins
 
Qualys Detection  
Qualys customers can scan their devices with QID 50122 to detect vulnerable assets. The QID is available starting releases VULNSIGS-2.5.596-5 and QAGENT-SIGNATURE-SET-2.5.596.5-4.

Read the Qualys Blog to know how customers can leverage the Qualys platform to detect and mitigate the vulnerabilities: Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform

Continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/  
https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html  

Leave a Reply

Your email address will not be published. Required fields are marked *