Exchange 0-days: CVE-2022-41040 & CVE-2022-41082

Update (Oct10, 2022): Updated URL Rewrite Rule (again).

End of last week, the Exchange world was made aware of a 0-day vulnerability and exploit through the following tweet by security researcher Kevin Beaumont. The tweet referenced a write-up by GTSC Cyber Security, which published their discovery on a what looked like a variation on ProxyShell, allowing for Remote code execution. The vulnerabilities have been registered by the Common Vulnerabilities and Exposures program as CVE-2022-41040 (ZDI-CAN-18333 at Zero Day Initiative) and CVE-2022-41082 (ZDI-CAN-18802).

The 0-day impacts current versions of Exchange Server 2019, Exchange Server 2016 as well as Exchange Server 2013 when published externally. If you have Exchange Hybrid deployed only for recipient management or mail-flow (i.e. no inbound traffic for https/443), you should be OK. Similar to ProxyShell, the vulnerability consists of sending manufactured requests to Exchange server, e.g.

Read the full of this article on ENow here.

Update (Oct10): The (original) filter to mitigate the situation, as specified originally by the GTSC as well as various websites, is too specific. The filter can easily be circumvented by – but effectively identical ÔÇô variations on the manufactured request. The latest rule to filter requests is:

(?=.*autodiscover)(?=.*powershell) 

Update any existing mitigation IIS URL Rewrite Rules with this Regular Expressions filter for {UrlDecode:{REQUEST_URI}} blocking (Abort Request) any matching request. When using EEMS, this rule will also be deployed in the most recent update (1.0.9). Microsoft rather silently updated the filter in their published EEMS rules during the weekend.

Microsoft added to their advisory, recommending organizations to disable Remote PowerShell for non-administrators roles (instructions here). For those wanting to hunt for indicators of compromise, check the end of the Security blog.

Vendors are also offering solutions to filter these requests using their network devices:

At the time of writing, Microsoft has not publish a security fix yet.

5 thoughts on “Exchange 0-days: CVE-2022-41040 & CVE-2022-41082

  1. As a RegEx Rule this has an error right at the beginning, it has to start with a dot: did you mean “.*\.autodiscover” or “.*autodiscover”?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.