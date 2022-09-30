ZDI verified and acknowledged 2 bugs that are impacting Exchange Server 2013, 2016, and 2019 , whose CVSS scores are 8.8 and 6.3

Microsoft announced that the team is working on a fix and mitigation is published to protect the users against ongoing attacks.

The first vulnerability is a Server-Side Request Forgery vulnerability, while the second allows remote code execution when PowerShell is accessible.

Vietnamese cybersecurity company, GTSC announced that while the team was doing security monitoring & incident response services they discovered that critical infrastructure was being attacked, specifically their Microsoft Exchange application. The investigation showed that the attackers are exploiting an unpublished Exchange security vulnerability. The remote code execution bugs were reported to Microsoft and the Zero Day Initiative and assigned CVSS scores of 8.8 and 6.3.

Exchange Server 2013, 2016, and 2019

Shortly after, Microsoft published an advisory that confirms the situation. The two vulnerabilities are impacting Exchange Server 2013, 2016, and 2019 and they are being exploited by attackers. One of the vulnerabilities is being tracked as CVE-2022-41040 and it is a Server-Side Request Forgery vulnerability. The other one is being tracked as CVE-2022-41082 and allows remote code execution when PowerShell is accessible.

According to the announcement, one of the vulnerabilities can enable an authenticated attacker to remotely trigger the second vulnerability. Microsoft also claims that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit vulnerabilities.

Mitigations

According to Microsoft’s advisory, Microsoft Exchange Online customers don’t need to take any action. On premise Microsoft Exchange customers should apply a URL Rewrite Instruction and block exposed Remote PowerShell ports.

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.

Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.

Open the IIS Manager.

Expand the Default Web Site.

Select Autodiscover.

In the Feature View, click URL Rewrite.

In the Actions pane on the right-hand side, click Add Rules.

Select Request Blocking and click OK.

Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.

Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.

Change the condition input from {URL} to {REQUEST_URI}

Microsoft said,

« We are working on an accelerated timeline to release a fix. Until then, we’re providing the mitigations and detections guidance below to help customers protect themselves from these attacks. Microsoft Exchange Online has detections and mitigation in place to protect customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. We will continue to provide updates here to help keep customers informed. »