[updated]Two new Exchange Server zero-days in the wild

Microsoft has issued some customer guidance as it investigates (yes, more) reported vulnerabilities in Microsoft Exchange Server, affecting the 2013, 2016, and 2019 versions of the software. The company says it “is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.” The move follows discussion online about whether two new Exchange zero-days are really new vulnerabilities, or just new exploits for known vulnerabilities.

So, let’s start with the most important part: What should you do if you’re tasked with administering an Exchange Server? Microsoft is working on an accelerated timeline to release a fix. In the meantime it’s providing mitigations and detection guidance:

Microsoft Exchange Online Customers do not need to take any action.

Update October 4, 2022

Microsoft has adapted the mitigation advice it provided originally to block attacks on these vulnerabilities, because they were too easy to circumvent. The most significant change is the recommendation for Exchange Server customers to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is here. Microsoft alos removed the option to block the ports that are used for Remote PowerShell, but doesn’t mention this in the updates section.

Some experts are promoting a more effective string to use in the Request Blocking instructions as shown under points 7 and 8 below. The change is minimal, but should be a significant improvement.

.*autodiscover.json.*Powershell.*

These were the original instructions:

Users of the on premises product should add a blocking rule in IIS Manager to block the known attack patterns. According to Microsoft, the following URL Rewrite instructions, which are currently being discussed publicly, are successful in breaking current attack chains:

  1. Open the IIS Manager.
  2. Expand the Default Web Site.
  3. Select Autodiscover.
  4. In the Feature View, click URL Rewrite.
  5. In the Actions pane on the right-hand side, click Add Rules. 
  6. Select Request Blocking and click OK.
  7. Add String .*autodiscover.json.*@.*Powershell.* and click OK.
  8. Expand the rule and select the rule with the Pattern .*autodiscover.json.*@.*Powershell.* and click Edit under Conditions.
  9. Change the condition input from {URL} to {REQUEST_URI}

The instructions above can be found on the Microsoft blog, with screenshots. It adds that there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.

Another option is to block the ports that are used for Remote PowerShell—HTTP: 5985 and HTTPS: 5986.

The vulnerabilities

The vulnerabilities were discovered by GTSC while performing security monitoring and incident response services. It was able to assess that the attacks were based on exploit requests with the same format as ProxyShell. But the servers being attacked had all the latest updates, including those that stop ProxyShell.

The attacks were used to drop web shells on the Exchange servers—a script that can be used by an attacker to run remote commands and maintain persistent access on an already compromised computer.

According to security researcher Kevin Beaumont a significant number of Exchange servers has been backdoored. But he adds that this is not unusual, since the patching process is apparently such a mess that people end up on old Content Updates and don’t patch ProxyShell properly.

On his blog on the subject he points out that if you don’t run Microsoft Exchange on premise, and don’t have Outlook Web App (OWA) facing the internet, you are not impacted either. In addition, Microsoft also notes that attackers need authenticated access to the vulnerable Exchange Server in order to exploit either of the two vulnerabilities associated with these attacks.

The vulnerabilities, which are chained together, are:

CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make requests to other services within an organization’s infrastructure.

CVE-2022-41082, a vulnerability that allows remote code execution (RCE) when PowerShell is accessible to the attacker.

https://blog.malwarebytes.com/feed/