CVE-2022-41040, CVE-2022-41082, ZDI-CAN-18333, ZDI-CAN-18802
We would like to update you on to the following critical 0-day vulnerability within Exchange Server. Whilst this issue is being exploited in the wild, scope of these attacks is currently not known.
A previously unknown authenticated remote code execution (RCE) vulnerability has been discovered being used in the wild. A combination of a Server-Side Request Forgery (SSRF) vulnerability and another vulnerability leads to RCE. Post exploitation activities have seen obfuscated webshells being dropped on to Exchange servers along with malicious DLL files.
This is an ongoing threat, and details are still emerging. We will update this threat alert as more information become available.
Affected Versions
-
Microsoft Exchange Server 2013
-
Microsoft Exchange Server 2016
-
Microsoft Exchange Server 2019
Note: Exchange Online is not effected
Detection
Currently two methods of detection have been developed to help identify if a server is effected.
Method 1 – Powershell
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover.json.*@.*200
Method 2 – GTSC Tool
GTSC have released a tool to detect that is reportedly faster than Powershell, CovertSwarm have not tested this tool, see references for details.
Mitigation
Microsoft Exchange Online Customers do not need to take any action. On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.
The current mitigation is to add a blocking rule in IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions to block the known attack patterns.
Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.
-
Open the IIS Manager.
-
Expand the Default Web Site.
-
Select Autodiscover.
-
In the Feature View, click URL Rewrite.
-
In the Actions pane on the right-hand side, click Add Rules.
-
Select Request Blocking and click OK.
-
Add String “.*autodiscover.json.*@.*Powershell.*” (excluding quotes) and click OK.
-
Expand the rule and select the rule with the Pattern “.*autodiscover.json.*@.*Powershell.*” and click Edit under Conditions.
-
Change the condition input from {URL} to {REQUEST_URI}
Impact: There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
-
HTTP: 5985
-
HTTPS: 5986
Remediation
There are currently no outstanding patches released to mitigate this vulnerability.
References
-
https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US
-
Untested Tool developed by GTSC for faster detection: Based on the exploit signature
https://github.com/ncsgroupvn/NCSE0Scanner
![](https://www.covertswarm.com/wp-content/uploads/2024/06/2024-Academy-Intake-3-640x320.png)
Academy Launches Second Intake
CovertSwarm’s Academy is opening the 2024 intake. Apply and start your cybersecurity journey as an ethical hacker.
![DORA & NIS2 European Flag](https://www.covertswarm.com/wp-content/uploads/2024/05/DORA-and-NIS2-European-Flag-640x320.png)
Combining regulation with real-world security assurance: DORA and NIS2
Whether you’re a local financial startup or a multinational food distributor, understanding how DORA and NIS2 may affect your organization is vital. With implementation dates just…
![](https://www.covertswarm.com/wp-content/uploads/2024/05/Clutch-100-fastest-growth-640x320.png)
CovertSwarm named by Clutch among Top 100 Fastest-Growing Companies
Clutch has recognized us for achieving one of the highest revenue growth rates from 2022 to 2023.