Déjà vu: Microsoft Exchange Server Found With Two Zero-day Bugs Similar to ProxyShell

Late last week, Microsoft confirmed two new zero-day vulnerabilities in the Exchange Server. GTSC, a Vietnamese cybersecurity company, discovered that the two security flaws affected Exchange Server 2013, 2016 and 2019.

Tracked as CVE-2022-41040Opens a new window and CVE-2022-41082Opens a new window , the two vulnerabilities carry a CVSS rating of 8.8 and 6.3, causing elevation of privilege (EoP) through Server-Side Request Forgery (SSRF) and remote code execution (RCE) when PowerShell is accessible to the attacker, respectively.

“These vulnerabilities can also work in combination: CVE-2022-41040 can enable an attacker to remotely trigger CVE-2022-41082, provided the attacker is authenticated in Exchange Server at least as a user,” Mike Walters, VP of vulnerability and threat research at Action1, told Spiceworks. “Attackers are using the zero-day combination to deploy web shells on compromised servers to save and steal data, as well as to move laterally to other systems on the victim’s network.”

The two zero-day vulnerabilities came to light during GTSC’s incident response for a client in August 2022. GTSC was able to track exploit activities to Antsword, an open-source, cross-platform website administration tool used for web shell administration located in China.

The Chinese connection is further solidified by the fact that the threat actors exploiting CVE-2022-41040 and CVE-2022-41082 establish persistence within the victim system through the use of China Chopper, a webshell commonly used by Chinese hackers.

“The risk from these zero-days is significant, since hundreds of thousands of companies worldwide are using on-premise Exchange Server, and many of them are middle and enterprise companies with vast amounts of critical data,” Walters added.

GTSC added that CVE-2022-41040 and CVE-2022-41082 are being used to target critical infrastructure, including deploying backdoors, moving laterally within compromised networks to other servers, collecting information, and delivering malware.

“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” the company stated. “In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.”

See More: Microsoft Sounds Out Last and Final Call to Users To Migrate Away From Basic Auth

CVE-2022-41040 and CVE-2022-41082 are “strikingly similar” to the ProxyShell vulnerabilities, according to researcher Kevin Beaumont. ProxyShell vulnerabilities were the most exploited CVEs in 2021 (55%), whose exploitation is still possible owing to unpatched instancesOpens a new window (even after more than a year of discovery) of vulnerable systems.

To exploit ProxyNotShell you need an authenticated user. From testing, this can be _any_ email user… so it’s pretty risky.

Every Exchange 2013, 2016, 2019 server is vulnerable currently.

— Kevin Beaumont (@GossiTheDog) September 30, 2022Opens a new window

However, since the two recently discovered zero-day flaws require authentication, they are somewhat less severe than ProxyShell ones.

The two new Exchange Server vulnerabilities impact on-premise versions of the email and calendaring server, meaning Microsoft Exchange Online users/admins need not take any action. “We are working on an accelerated timeline to release a fix,” Microsoft said.

While a patch is developed and released, users are advised to check if Outlook Web App (OWA) is internet-facing. If it is, change the Exchange configuration to shield it until a patch is released.

My guidance would be to stop representing OWA to the internet until there is a patch, unless you want to go down the mitigation route… but that has been known about for a year, and, eh – there’s other ways to exploit Exchange for RCE without PowerShell.

— Kevin Beaumont (@GossiTheDog) September 30, 2022Opens a new window

Walters advised: “No fix is ready yet, but the good news is that Microsoft is working to release one ASAP. In the meantime, Microsoft’s mitigation guidance is to add a new IIS server rule using the URL rewrite rule module:

1. From the URL Rewrite tab, select Request Blocking.
2. Add the following string to the URL path: .*autodiscover.json.*@.*Powershell.*
3. Set the condition input to {REQUEST_URI}.”

Scan for the indicators of compromise in the IIS log files using the following command (PowerShell):

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover.json.*@.*200′

“Exploitation has been happening for at least one month in the wild, with the security vendor report accepted by ZDI 22 days ago [on September 8, 2022],” Beaumont wrote. “MS will be frustrated with the vendor going public… but it’s better customers know about a threat like this.”

GTSC added, “We are also concerned that there may be many other organizations that have been exploited but have not been discovered.”

Technical details of the two zero-day flaws remain under wraps for now.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON SECURITY VULNERABILITIES

• 15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects
• 66% of Organizations Have Vulnerability Backlogs of Over 100,000, Rezilion Finds 
• Google Chrome and Microsoft Edge Are Vulnerable to Spell-Jacking: otto-js
• HP Business Devices Vulnerable to the Exploitation of Six High-risk Firmware Flaws