Security advisory: exchange server 0-day - ProxyNotShell
Two unpatched vulnerabilities in the latest Microsoft Exchange Server have been identified by GTSC Blue Team and actively exploited in the wild.
Details
Two vulnerabilities affecting the latest version of Microsoft Exchange Server have been identified by GTSC Blue Team as being exploited-in-the-wild:
- CVE-2022-41040
- CVE-2022-41082
These vulnerabilities, as of the 1st of October 2022, are still unpatched by Microsoft. Greynoise.io, an internet security data analytics platform, currently identifies multiple IP addresses checking this vulnerability at scale
The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Authentication is required for successfully exploit either vulnerability.
These vulnerabilities are similar to ProxyShell, the Exchange Server vulnerabilities identified in 2021 (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), hence the similar name. Due to the requirement for authentication, however, the impact of this vulnerability is reduced.
If the Exchange Server is exposed on the internet, an internet-based attacker with authenticated access (e.g. through a successful password-spraying attack or phishing) would be able to exploit these vulnerabilities and gain remote code execution on the server.
Vulnerability and Exploitation Identification
Any servers running Microsoft Exchange on-premise with OWA (Outlook Web App) are currently vulnerable to authenticated attackers until there is a patch from Microsoft.
The following URL request is used in the attack, similar to that of ProxyShell:
/autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com
Identification of this in the IIS logs demonstrates attempts at exploitation. The following Powershell command from GTSC scans the IIS log files for successful exploitation attempts:
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200
Mitigation
In order to temporarily block exploitation attempts, any inbound requests matching the following regular expression should be blocked:
.*autodiscover\.json.*\@.*Powershell.*
It is recommended to patch immediately, as soon as a patch becomes available.
References
Related articles
How to breach sensitive information from broken access controls
Claranet’s top 10 web application vulnerabilities found in 2024
How to secure your applications from the ground up
The art of deception: social engineering in red teaming
Security advisory: critical Fortinet authentication bypass vulnerability exploited in the wild