- Cybersecurity researchers state that the URL pattern in the mitigation method of Exchange zero-day vulnerability can be bypassed easily.
- According to cybersecurity researchers, “@” in the URL block “seems unnecessarily precise, and therefore insufficient.”
- The vulnerability is still under attack and Microsoft didn’t release a patch to address the vulnerabilities yet, leaving users vulnerable to attacks.
Two new zero-day vulnerabilities are giving Microsoft to have a hard time. Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082 are currently being exploited in the wild, allowing hackers to breach servers and achieve remote code execution. Vulnerabilities were reported through the Zero Day Initiative approximately three weeks ago and GTSC shared the details last week.
Not fixed yet
Until now, Microsoft didn’t release any fixes that address the vulnerabilities yet, leaving users vulnerable to incoming attacks. In the advisory, the tech giant shared mitigation to help users protect their servers, urging users to disable remote PowerShell access for non-admin users. Microsoft’s solution focuses on blocking known attack patterns by using a rule in the IIS Manager. The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
The '@' in the Microsoft-recommended ".*autodiscover.json.*@.*Powershell.*" URL block mitigations for CVE-2022-41040 CVE-2022-41082 seems unnecessarily precise, and therefore insufficient. Video:https://t.co/63VBV5o9Cr
Probably try ".*autodiscover.json.*Powershell.*" instead. https://t.co/uX1oE975Lm pic.twitter.com/NZy8tEvryZ— Will Dormann (@wdormann) October 3, 2022
Unfortunately, this method is only effective against known attacks, thus, the URL pattern is limited to them. Security researchers pinpoint that this temporary solution is not enough and can be bypassed easily. Security researcher Jang tweeted the issue with the mitigation and it is confirmed by ANALYGENCE, who stated that “@” in the URL block “seems unnecessarily precise, and therefore insufficient.” GTSC also published a video that confirms that mitigation can’t provide sufficient protection.