Researchers have discovered critical flaws in Microsoft’s Exchange Server. They are used in the 2013, 2016 and 2019 versions. While waiting for fixes, the publisher offers mitigation solutions.
At first, Microsoft did not react to the discovery made by a Vietnamese cybersecurity company, GTSC, of critical flaws in Exchange Server used in attacks. These zero-day flaws didn’t even have a classification. This is the case today, Microsoft said in a bulletin that “the first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, enables remote code execution (RCE) when PowerShell is accessible to the attacker”.
On the exploitation, “Microsoft is aware of limited targeted attacks using the two flaws to break into users’ systems”. The company added that the CVE-2022-41040 flaw could only be exploited by authenticated attackers. Successful exploitation then allows them to trigger a remote code execution of the CVE-2022-41082 breach.
Patches expected and mitigation measures put in place
The 2013, 2016 and 2019 versions of Exchange Server are affected by these flaws. Microsoft Exchange Online customers do not need to take any action at this time as zero-day only impacts Exchange on-prem instances. “We are working on an accelerated schedule to release a patch. Until then, we are providing the mitigation and detection guidance below to help customers protect against these attacks.
It says affected customers, “should review and apply the following URL rewrite guidelines and block exposed Remote PowerShell ports.” And to add, “the current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions “block known attack patterns”. Since threat actors can also access PowerShell Remoting on exposed and vulnerable Exchange servers to execute code remotely via CVE-2022-41082 exploit, Microsoft also advises administrators to block the following remote PowerShell ports to hinder attacks: HTTP: 5985 and HTTPS: 5986. Note that the company GTSC offers to know if its Exchange servers have been compromised by executing a command to analyze the IIS log files in search of indicators of compromise. The command is: Get-ChildItem -Recourse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover.json.*@.*200’.