Microsoft’s shared mitigation for the two newly disclosed Exchange zero-day vulnerabilities can be bypassed, expert warns.
Last week, Microsoft confirmed that two zero-day vulnerabilities in Microsoft Exchange recently disclosed by researchers at cybersecurity firm GTSC are actively being exploited in the wild.
The first flaw, tracked as CVE-2022-41040, is a server-side request forgery (SSRF) issue. The second vulnerability, tracked as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Successful exploitation of CVE-2022-41040 could allow an authenticated attacker to remotely trigger CVE-2022-41082.
“At this time, Microsoft is aware of limited targeted attacks that use both vulnerabilities to enter users’ systems. In these attacks, CVE-2022-41040 may allow an authenticated attacker to remotely activate CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange server is required to successfully exploit either vulnerability.” read the notice posted by Microsoft.
Microsoft announced that it is working to accelerate the schedule to release a fix that fixes both issues. In the meantime, the company provided mitigations and detection guides to help customers protect themselves from these attacks.
Microsoft states that Microsoft Exchange Online clients do not need to take any action, while it provided mitigation for on-premises Microsoft Exchange clients that are the same that share GTSC.
“We are working on an accelerated timeline to release a fix. Until then, we are providing the mitigation and detection instructions below to help customers protect against these attacks,” Microsoft added.
Below is the step-by-step procedure provided by Microsoft to mitigate the exploit risk of the above issues:
- Open IIS Manager.
- Expand the default website.
- Select Auto Detect.
- In the Features view, click URL Rewriting.
- In the Actions pane on the right, click Add Rules.
- Select Block Request and click OK.
- Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select it with the pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
- Change condition entry from {URL} to {REQUEST_URI}
Microsoft also recommends that customers block the following remote PowerShell ports:
- HTTP: 5985
- HTTPS: 5986
Microsoft also recommends that Exchange Server customers disable remote access to PowerShell for users who are not organization administrators.
BleepingComputer reported that researcher Jang first warned that Microsoft’s mitigations can be easily bypassed with little effort.
GTSC researchers published a PoC video to demonstrate how to bypass mitigation for both vulnerabilities.
Popular CERT/CC vulnerability analyst Will Dormann also confirmed that the mitigation is easily bypassed.
The researchers suggested trying “.*autodiscover\.json.*Powershell.*” instead of the URL blocking mitigations shared by the IT giant.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
(SecurityAffairs: Hacking, Microsoft Exchange)
Share to