Microsoft Exchange/Office365

CVE-2022-41040 and CVE-2022-41082: Workaround for a zero-day vulnerability on Microsoft Exchange Server

exchange 2016 1

Some security researchers have reported that attackers are currently exploiting two zero-day vulnerabilities in Microsoft Exchange Server. Microsoft has acknowledged and is currently investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first to be reported is CVE-2022-41040 which is a Server-Side Request Forgery (SSRF) vulnerability, and the other one is CVE-2022-41082, which allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft and runs on Windows Server operating systems. It is worth noting that Exchange Server has integrated intelligent storage and search functionalities. Basically, Microsoft designed Exchange Server to give users access to the messaging platform from mobile devices, desktops, and web-based systems. With the integrated telephone functions, Exchange Server also supports voice messages.

Note:  It has been reported by Microsoft that CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. But authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

You can use the following PowerShell command to check whether servers are already compromised, GTSC released this guideline as a tool to scan IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder).

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

Alternatively, based on the exploit signature, GTSC built a tool to search with a much shorter time needed than using Powershell. Here is the download link.

Workaround to contain CVE-2022-41040 and CVE-2022-41082

GTSC’s direct incident response process recorded more than 1 organization being the victims of an attack campaign exploiting this 0-day vulnerability. In addition, we are also concerned that there may be many other organizations that have been exploited but have not been discovered. While waiting for the official patch from the company, GTSC provides a temporary remedy to reduce the vulnerability of attacks by adding a rule to block requests with indicators of attack through the URL Rewrite Rule module on the IIS server.

Microsoft Exchange Online is not affected. It has detections and mitigations to protect customers. As always, Microsoft is monitoring these detections for malicious activity and responds to protect customers.

Also on the Microsoft website, the same Microsoft Exchange Server mitigation steps were mentioned as shown below but with three different approaches. They advised customers to review and apply only one of the recommended mitigation steps.

Add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns. 

Option 1: For customers who have the Exchange Server Emergency Mitigation Service (EMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically. Please see this blog post for more information on this service and how to check active mitigations.

Option 2: Microsoft created the following script for the URL Rewrite mitigation steps: https://aka.ms/EOMTv2. You can download the script from this link. Kindly run the script after downloading with the following command.

.\EOMTv2.ps1

What does the EOM Mitigation Tool v2 script do?

The Exchange On-premises Mitigation Tool v2 script (EOMTv2.ps1) can be used to mitigate CVE-2022-41040. This script does the following:

  • Check for the latest version of EOMTv2.ps1 and download it.
  • Mitigate against current known attacks using CVE-2022-41040 via a URL Rewrite configuration

The default recommended way of using EOMTv2.ps1. This will apply the URL rewrite mitigation. If the IIS URL rewrite module is not installed, this will also download and install the module.

To roll back EOMTv2 mitigations run the following command below.

.\EOMTv2.ps1 -Rollbackmitigation

Option 3: Customers are also advised to follow the below instructions and they have been proven to be successful in breaking current attack chains. 

Launch the IIS Manager, and select Default Web Site. In the Feature View, click URL Rewrite as shown below.

image
src: Microsoft

In the Actions pane on the right-hand side, click Add Rule(s)

URLrewrite

Select Request Blocking and click OK.

browsingrequest

Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes).
– Then select Regular Expression under Using.
– Select Abort Request under How to block and then click OK.

abortrequestIIS

Expand the rule and select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions

conditionsIIS

Change the Condition input from {URL} to {REQUEST_URI}

conditioninputIIS

Note: If you MUST change any rule that you have created, it is best to delete and recreate it.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x