Microsoft Confirms Pair of Blindsiding Exchange Zero-Days, No Patch Yet

Microsoft is fast-tracking patches for two Exchange Server zero-day vulnerabilities reported overnight, but in the meantime, businesses should be on the lookout for attacks. The computing giant said in a Friday update that it's already seeing "limited targeted attacks" chaining the bugs together for initial access and takeover of the email system.

The flaws specifically affect on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 that face the Internet, according to Microsoft. However, it's worth noting that security researcher Kevin Beaumont says that Microsoft Exchange Online Customers running Exchange hybrid servers with Outlook Web Access (OWA) are also at risk, despite the official advisory stating that Online instances aren't impacted. The team at Rapid7 echoed that assessment.

The bugs are tracked as follows:

  • CVE-2022-41040 (CVSS 8.8), a server-side request forgery (SSRF) vulnerability giving access to any mailbox in Exchange;
  • CVE-2022-41082 (CVSS 6.3), which allows authenticated remote code execution (RCE) when PowerShell is accessible to the attacker.

Importantly, authenticated access to the Exchange Server is necessary for exploitation, Microsoft's alert pointed out. Beaumont added, "Please note exploitation needs valid non-admin credentials for any email user."

Patches & Mitigations for CVE-2022-41040, CVE-2022-41082

So far, there's no patch available, but Microsoft has triaged the bugs and is fast-tracking a fix.

"We are working on an accelerated timeline to release a fix," according to Microsoft's Friday advisory. "Until then, we're providing the mitigations and detections guidance."

The mitigations include adding a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns; and the company included URL rewrite instructions in the advisory, which it said it "confirmed are successful in breaking current attack chains."

Also, the alert noted that "since authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082, blocking the ports used for Remote PowerShell can limit the attacks."

Blindsiding-Bug Disclosure

The flaws were disclosed in a blog post from Vietnamese security company GTSC, which noted that it submitted bug reports to Trend Micro's Zero Day Initiative last month. While typically this would have resulted in a responsible vulnerability disclosure process in which Microsoft would have 120 days to patch before the findings were made public, GTSC decided to publish after seeing in-the-wild attacks, it said.

"After careful testing, we confirmed that those systems were being attacked using this 0-day vulnerability," GTSC researchers noted in its Thursday blog post. "To help the community temporarily stop the attack before an official patch from Microsoft is available, we publish this article aiming to those organizations who are using Microsoft Exchange email system."

It also offered detail analysis of the bug chain, which is similar under the hood to the ProxyShell group of Exchange Server vulnerabilities. This prompted Beaumont (@gossithedog) to dub the chain "ProxyNotShell," complete with its own logo.

He said in his analysis on Friday that while many attributes of the bugs are exactly like ProxyShell, the ProxyShell patches don't fix the issue. He also noted that in terms of attack surface, "near a quarter of a million vulnerable Exchange servers face the internet, give or take."

He characterized the situation as "pretty risky" in a Twitter feed, noting that exploitation seems to have been going on for at least a month, and that now that the flaws are public, things could "go south pretty quickly." He also called into question Microsoft's mitigation guidance.

"My guidance would be to stop representing OWA to the internet until there is a patch, unless you want to go down the mitigation route ... but that has been known about for a year, and, eh — there's other ways to exploit Exchange for RCE without PowerShell," Beaumont tweeted. "For example, if you have SSRF (CVE-2022-41040) you are god in Exchange, and can access any mailbox via EWS — see the prior activity. So, I'm not sure that mitigation will hold."

Microsoft did not immediately respond to a request for comment by Dark Reading.