Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Reviews
  • Contact
  • Toggle search form

Workaround for a zero-day vulnerability on Microsoft Exchange Server

Posted on 01/10/202210/04/2023 IT Expert By IT Expert No Comments on Workaround for a zero-day vulnerability on Microsoft Exchange Server
  1. Home
  2. Network | Monitoring
  3. Workaround for a zero-day vulnerability on Microsoft Exchange Server
exchange 2016 1

Some security researchers have reported that attackers are currently exploiting two zero-day vulnerabilities in Microsoft Exchange Server. Microsoft has acknowledged and is currently investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first to be reported is CVE-2022-41040 which is a Server-Side Request Forgery (SSRF) vulnerability, and the other one is CVE-2022-41082, which allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  In this article, you will learn how to apply the workaround for a zero-day vulnerability on Microsoft Exchange Server.

What is Micrsoft Exchange?

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft and runs on Windows Server operating systems. It is worth noting that Exchange Server has integrated intelligent storage and search functionalities. Basically, Microsoft designed Exchange Server to give users access to the messaging platform from mobile devices, desktops, and web-based systems. With the integrated telephone functions, Exchange Server also supports voice messages.

CVE-2022-41040 and CVE-2022-41082

Note:  It has been reported by Microsoft that CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. But authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

You can use the following PowerShell command to check whether servers are already compromised, GTSC released this guideline as a tool to scan IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder).

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

Alternatively, based on the exploit signature, GTSC built a tool to search with a much shorter time needed than using Powershell. Here is the download link.

Workaround to contain CVE-2022-41040 and CVE-2022-41082

GTSC’s direct incident response process recorded more than 1 organization being the victim of an attack campaign exploiting this 0-day vulnerability. In addition, we are also concerned that there may be many other organizations that have been exploited but have not been discovered. While waiting for the official patch from the company, GTSC provides a temporary remedy to reduce the vulnerability of attacks by adding a rule to block requests with indicators of attack through the URL Rewrite Rule module on the IIS server.

Microsoft Exchange Online is not affected. It has detections and mitigations to protect customers. As always, Microsoft is monitoring these detections for malicious activity and responds to protect customers.

Also on the Microsoft website, the same Microsoft Exchange Server mitigation steps were mentioned as shown below but with three different approaches. They advised customers to review and apply only one of the recommended mitigation steps.

Add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns. 

Option 1

For customers who have the Exchange Server Emergency Mitigation Service (EMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically. Please see this blog post for more information on this service and how to check active mitigations.

Option 2

Microsoft created the following script for the URL Rewrite mitigation steps: https://aka.ms/EOMTv2. You can download the script from this link. Kindly run the script after downloading with the following command.

.\EOMTv2.ps1

What does the EOM Mitigation Tool v2 script do?

The Exchange On-premises Mitigation Tool v2 script (EOMTv2.ps1) can be used to mitigate CVE-2022-41040. This script does the following:

  • Check for the latest version of EOMTv2.ps1 and download it.
  • Mitigate against current known attacks using CVE-2022-41040 via a URL Rewrite configuration

The default recommended way of using EOMTv2.ps1. This will apply the URL rewrite mitigation. If the IIS URL rewrite module is not installed, this will also download and install the module.

To roll back EOMTv2 mitigations run the following command below.

.\EOMTv2.ps1 -Rollbackmitigation

Customers are also advised to follow the below instructions and they have been proven to be successful in breaking current attack chains. Please refer to these related articles: URL Rewrite: How to perform redirection from HTTP to HTTPS, how to enable Exploit Protection on Windows using Windows Security App, Microsoft Endpoint Configuration Manager, and Group Policy Editor. How to disable Password Change for all Users Exchange server, how to block the Change Password Feature for All Users, and how to mitigate Yet another Windows print spooler zero-day Vulnerability: Mitigate Windows Print SpoilerZero day Vulnerability.

Option 3

Launch the IIS Manager, and select Default Web Site. In the Feature View, click URL Rewrite as shown below.

image
src: Microsoft

In the Actions pane on the right-hand side, click Add Rule(s)

URLrewrite

Select Request Blocking and click OK.

browsingrequest

Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes).
– Then select Regular Expression under Using.
– Select Abort Request under How to block and then click OK.

abortrequestIIS

Expand the rule and select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions. 

conditionsIIS

Change the Condition input from {URL} to {REQUEST_URI}

conditioninputIIS

Note: If you MUST change any rule that you have created, it is best to delete and recreate it.

I hope you found this blog post helpful on how to apply the workaround for a zero-day vulnerability on Microsoft Exchange Server. If you have any questions, please let me know in the comment session.

Rate this post

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
Network | Monitoring Tags:exchange, Exchange Server, Microsoft Windows, Windows Server 2016

Post navigation

Previous Post: How to search Group Policy for a specific Setting in Windows 10 and 11
Next Post: How to work with Windows Performance Toolkit

Related Posts

  • How to Fix Microsoft Edge Not Responding on Windows 11
    How to Fix Microsoft Edge Not Responding on Windows 11 Network | Monitoring
  • Featured image GPU Temp
    How to check graphics card temperature on Windows 11 Network | Monitoring
  • cb5e9fcbe91618c68c5236d801eb6721
    Real-Time Monitoring: How to setup VeeamONE Network | Monitoring
  • Exchange password
    How to block the Change Password Feature for All Users via the Exchange Administrative Center Network | Monitoring
  • Featured image Excel crash 1
    How to Fix Microsoft Excel Crash Issues Network | Monitoring
  • screenshot 2020 04 07 at 02.14.53
    SSH and Telnet on Cisco ASA 5505: Quick Setup Guide Network | Monitoring

More Related Articles

How to Fix Microsoft Edge Not Responding on Windows 11 How to Fix Microsoft Edge Not Responding on Windows 11 Network | Monitoring
Featured image GPU Temp How to check graphics card temperature on Windows 11 Network | Monitoring
cb5e9fcbe91618c68c5236d801eb6721 Real-Time Monitoring: How to setup VeeamONE Network | Monitoring
Exchange password How to block the Change Password Feature for All Users via the Exchange Administrative Center Network | Monitoring
Featured image Excel crash 1 How to Fix Microsoft Excel Crash Issues Network | Monitoring
screenshot 2020 04 07 at 02.14.53 SSH and Telnet on Cisco ASA 5505: Quick Setup Guide Network | Monitoring

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • Fix invalid backup repostory and delete not needed repo via Veeam Backup Repository
    Fix missing path and delete a Veeam Backup Repository Backup
  • Microsoft Windows Windows 1
    How to specify a persistent default printer via the Windows Registry and PowerShell Windows
  • windows 10 keyboard shortcut 1024x512 1
    How to create a Desktop shortcut in Windows Windows
  • update
    Client Visibility Issues: Fix WSUS Clients appear then disappear in the console Windows Server
  • Delete Slack Account
    How to delete your Slack account JIRA|Confluence|Apps
  • Azure Resource Inventory (ARI) for Engineers: Improving Control and Compliance AWS/Azure/OpenShift
  • Featured image Microsoft Whiteboard
    How to work with Microsoft Blackboard via private or commercial accounts Microsoft Exchange/Office/365
  • How to create an Advanced Windows Scheduled Task Windows Server

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,784 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.