Exchange 0-days: CVE-2022-41040 & CVE-2022-41082

Posted on October 3, 2022 by Michel de Rooij

Update (Oct10, 2022): Updated URL Rewrite Rule (again).

End of last week, the Exchange world was made aware of a 0-day vulnerability and exploit through the following tweet by security researcher Kevin Beaumont. The tweet referenced a write-up by GTSC Cyber Security, which published their discovery on a what looked like a variation on ProxyShell, allowing for Remote code execution. The vulnerabilities have been registered by the Common Vulnerabilities and Exposures program as CVE-2022-41040 (ZDI-CAN-18333 at Zero Day Initiative) and CVE-2022-41082 (ZDI-CAN-18802).

The 0-day impacts current versions of Exchange Server 2019, Exchange Server 2016 as well as Exchange Server 2013 when published externally. If you have Exchange Hybrid deployed only for recipient management or mail-flow (i.e. no inbound traffic for https/443), you should be OK. Similar to ProxyShell, the vulnerability consists of sending manufactured requests to Exchange server, e.g.

Read the full of this article on ENow here.

Update (Oct10): The (original) filter to mitigate the situation, as specified originally by the GTSC as well as various websites, is too specific. The filter can easily be circumvented by – but effectively identical – variations on the manufactured request. The latest rule to filter requests is:

(?=.*autodiscover)(?=.*powershell)

Update any existing mitigation IIS URL Rewrite Rules with this Regular Expressions filter for {UrlDecode:{REQUEST_URI}} blocking (Abort Request) any matching request. When using EEMS, this rule will also be deployed in the most recent update (1.0.9). Microsoft rather silently updated the filter in their published EEMS rules during the weekend.

Microsoft added to their advisory, recommending organizations to disable Remote PowerShell for non-administrators roles (instructions here). For those wanting to hunt for indicators of compromise, check the end of the Security blog.

Vendors are also offering solutions to filter these requests using their network devices:

At the time of writing, Microsoft has not publish a security fix yet.

Security Updates Exchange 2013-2019 (May2021)

Posted on May 11, 2021 by Michel de Rooij

Another month, another Patch Tuesday! A quick blog on May’s security updates for Exchange Server 2013 up to 2019.

These fixes address the following vulnerabilities:

Vulnerability	Category	Severity	Rating
CVE-2021-31209	Spoofing	Important	CVSS:3.0 6.5 / 5.7
CVE-2021-31207	Security Feature Bypass	Moderate	CVSS:3.0 6.6 / 5.8
CVE-2021-31198	Remote Code Execution	Important	CVSS:3.0 7.8 / 6.8
CVE-2021-31195	Remote Code Execution	Important	CVSS:3.0 6.5 / 5.7

These vulnerabilities can be fixed by single security update for Exchange, which you can find below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU9	Download	15.2.858.12	KB5 003435	KB5001779
Exchange 2019 CU8	Download	15.2.792.15	KB5 003435	KB5001779
Exchange 2016 CU20	Download	15.1.2242.10	KB5 003435	KB5001779
Exchange 2016 CU19	Download	15.1.2176.14	KB5 003435	KB5001779
Exchange 2013 CU23	Download	15.0.1497.18	KB5 003435	KB5001779

More detailed information can be found at the original blog post here, which also mentions some known issues and workarounds which you might encounter after deploying these updates.

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5003435-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

Security Update Exchange 2013-2019 (Apr2021)

Posted on April 13, 2021 by Michel de Rooij

15Apr2021: Added note about Pwn2Own vulnerabilities not being addressed by these updates.

A quick blog on April’s security updates for Exchange Server 2013 up to 2019. Details regarding these vulnerabilities are confidential, but organizations are recommended to install these updates based on their rating. With patching procedures still fresh in everyone’s memory, and every Exchange on-premises server being current after the Hafnium issues, that should not be a problem, right?

The fixes address the following Remote Code Execution vulnerabilities:

Vulnerability	Severity	Rating
CVE-2021-28483	Critical	CVSS:3.0 9.0 / 7.8
CVE-2021-28482	High	CVSS:3.0 8.8 / 7.7
CVE-2021-28481	Critical	CVSS:3.0 9.8 / 8.5
CVE-2021-28480	Critical	CVSS:3.0 9.8 / 8.5

More detailed information can be found at the original blog post here. Note that the recently discovered at the Pwn2Own 2021 contest are not (yet) addressed by these updates, according to this blog by the contest organizers.

The exploit can be fixed by single security update, which you can find below.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU9	Download	15.2.858.10	KB5001779
Exchange 2019 CU8	Download	15.2.792.13	KB5001779
Exchange 2016 CU20	Download	15.1.2242.8	KB5001779
Exchange 2016 CU19	Download	15.1.2176.12	KB5001779
Exchange 2013 CU23	Download	15.0.1497.15	KB5001779

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU20 to Exchange 2016 CU19. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5001779-x64-en.msp.