Microsoft Exchange Zero-Day Actively Exploited In Attacks: How to Mitigate

Written by Aarush Ahuja
Co-founder @ FourCore
Blog Header Image

As of 30th Sept. 2022, A new zero-day is being actively exploited on Microsoft Exchange servers. MSRC has published guidance for customers to mitigate the vulnerability. Chatter on the internet of an actively exploited in Exchange started on 29th Sept. 2022, starting with a blog from the security vendor GTSC.

Kevin Beaumont posted this tweet tracking the issue. As is tradition, Kevin has christened the vulnerability, ProxyNotShell.

ProxyNotShell.png

Two vulnerabilities have been assigned CVE-2022-41040 and CVE-2022-41082 overnight by MSRC.

Microsoft Exchange Affected Version

Microsoft Exchange Online customers are not vulnerable and no action is required.

Effectively, all versions of Exchange 2013, 2016 and 2019 are vulnerable to the two vulnerabilities.

It should be noted that exploiting either of the vulnerability requires any non-admin credentials of an email user on the target Exchange server.

Mitigate Microsoft Exchange Zero-Day

For on-premise Exchange customers, MSRC has published steps to mitigate the vulnerability temporarily.

  1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
  2. Add string “*.autodiscover.json.@.*Powershell.“ to the URL Path.
  3. Condition input: Choose {REQUEST_URI}

You can also run this script to install the rewrite rule

1Import-Module WebAdministration
23Invoke-WebRequest -UseBasicParsing -Uri 'https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi' -OutFile "$env:windir\temp\rewrite.msi"
45Start-Process -FilePath "$env:windir\system32\msiexec.exe" -ArgumentList '/i', "$env:windir\temp\rewrite.msi", '/qn'
6Start-Sleep -Seconds 300
78$name = 'Block AutoDiscover 0-Day'
9$inbound = '.*autodiscover\.json.*\@.*Powershell.*'
10$site = 'IIS:\Sites\Default Web Site'
11$root = 'system.webServer/rewrite/rules'
12$filter = "{0}/rule[@name='{1}']" -f $root, $name
13
14Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name; patternSyntax = 'Regular Expressions'; stopProcessing = 'False' }
15Set-WebConfigurationProperty -PSPath $site -filter "$filter/match" -name 'url' -value $inbound
16Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'type' -value 'CustomResponse'
17Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'statusCode' -value 403
18Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'statusReason' -value 'Forbidden'

(Script courtesy of John Duprey from the MSPGeek slack)

The mitigation does not have any known impact to Exchange functionality.

Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.

  • HTTP: 5985
  • HTTPS: 5986

What are the vulnerabilities in Exchange?

The vulnerabilities are similar to a previous vulnerability discovered in 2021, ProxyShell and even work on the same endpoint. CVE-2022-41040 is an SSRF in the exchange server which can be used to remotely trigger CVE-2022-41082 for PowerShell access.

The vulnerability was reported to Microsoft 22 days ago by GTSC via the Zero Day Initiative and has been actively exploited in the wild for at least a month.

Detect Exchange Zero-Day

Server admins can use this PowerShell script to scan IIS logs to find indicators of compromise.

1Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

Security Researcher Kevin Beaumont recommends two queries to use with Microsoft Sentinel, which requires you to collect IIS logs.

Impact

There are currently more than 250,000 Outlook Web App servers exposed to the internet, which might be vulnerable to the vulnerability, as can be gathered from Shodan. A good recommendation could be to review your organization’s risk using the above detection queries inside IIS logs.

References