at GISEC 2024 Last Updated on Fri Sept 30, 2022
Microsoft Exchange Zero-Day Actively Exploited In Attacks: How to Mitigate
As of 30th Sept. 2022, A new zero-day is being actively exploited on Microsoft Exchange servers. MSRC has published guidance for customers to mitigate the vulnerability. Chatter on the internet of an actively exploited in Exchange started on 29th Sept. 2022, starting with a blog from the security vendor GTSC.
Kevin Beaumont posted this tweet tracking the issue. As is tradition, Kevin has christened the vulnerability, ProxyNotShell.
Two vulnerabilities have been assigned CVE-2022-41040 and CVE-2022-41082 overnight by MSRC.
Microsoft Exchange Affected Version
Microsoft Exchange Online customers are not vulnerable and no action is required.
Effectively, all versions of Exchange 2013, 2016 and 2019 are vulnerable to the two vulnerabilities.
It should be noted that exploiting either of the vulnerability requires any non-admin credentials of an email user on the target Exchange server.
Mitigate Microsoft Exchange Zero-Day
For on-premise Exchange customers, MSRC has published steps to mitigate the vulnerability temporarily.
- In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
- Add string “*.autodiscover.json.@.*Powershell.“ to the URL Path.
- Condition input: Choose {REQUEST_URI}
You can also run this script to install the rewrite rule
1Import-Module WebAdministration 2 3Invoke-WebRequest -UseBasicParsing -Uri 'https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi' -OutFile "$env:windir\temp\rewrite.msi" 4 5Start-Process -FilePath "$env:windir\system32\msiexec.exe" -ArgumentList '/i', "$env:windir\temp\rewrite.msi", '/qn' 6Start-Sleep -Seconds 300 7 8$name = 'Block AutoDiscover 0-Day' 9$inbound = '.*autodiscover\.json.*\@.*Powershell.*' 10$site = 'IIS:\Sites\Default Web Site' 11$root = 'system.webServer/rewrite/rules' 12$filter = "{0}/rule[@name='{1}']" -f $root, $name 13 14Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name; patternSyntax = 'Regular Expressions'; stopProcessing = 'False' } 15Set-WebConfigurationProperty -PSPath $site -filter "$filter/match" -name 'url' -value $inbound 16Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'type' -value 'CustomResponse' 17Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'statusCode' -value 403 18Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'statusReason' -value 'Forbidden'
(Script courtesy of John Duprey from the MSPGeek slack)
The mitigation does not have any known impact to Exchange functionality.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
- HTTP: 5985
- HTTPS: 5986
What are the vulnerabilities in Exchange?
The vulnerabilities are similar to a previous vulnerability discovered in 2021, ProxyShell and even work on the same endpoint. CVE-2022-41040 is an SSRF in the exchange server which can be used to remotely trigger CVE-2022-41082 for PowerShell access.
The vulnerability was reported to Microsoft 22 days ago by GTSC via the Zero Day Initiative and has been actively exploited in the wild for at least a month.
Detect Exchange Zero-Day
Server admins can use this PowerShell script to scan IIS logs to find indicators of compromise.
1Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
Security Researcher Kevin Beaumont recommends two queries to use with Microsoft Sentinel, which requires you to collect IIS logs.
Impact
There are currently more than 250,000 Outlook Web App servers exposed to the internet, which might be vulnerable to the vulnerability, as can be gathered from Shodan. A good recommendation could be to review your organization’s risk using the above detection queries inside IIS logs.
References
