Introduction:
Microsoft announced last week that Exchange Server 2013, 2016 and 2019 are affected by two zero-day vulnerabilities;
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040: Server-Side Request Forgery (SSRF) vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082: Allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker
The first CVE, CVE-2022-41040, allows an authenticated attacker to remotely trigger the second CVE, CVE-2022-41082. Please note that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.
Mitigation:
Microsoft are working to release a fix however, until then, please follow one of the options the guidance below to protect against these attacks:
- If you already have the Exchange Emergency Mitigation Service (EEMS) enabled in Exchange Server 2016 or Exchange Server 2019. The mitigation is enabled automatically and is updated to include the URL Rewrite rule improvements. Use the Get-Mitigations.ps1 script to check active mitigations. See here for e more information.
- If you haven’t yet applied the EEMS or have Exchange Server 2013, there’s also the EOMTv2 script, which will auto-update on Internet connected machines and the updated version will show as 22.10.07.2029.
- To manually mitigate these CVEs, you can follow the steps below:
1. Open IIS Manager.
2. Select Default Web Site.
3. In the Feature View, click URL Rewrite.
4. In the Actions pane on the right-hand side, click Add Rule(s)…
5. Select Request Blocking and click OK.
6. Add the string “(?=.*autodiscover)(?=.*powershell)” (excluding quotes).
7. Select Regular Expression under Using.
8. Select Abort Request under How to block and then click OK.
9. Expand the rule and select the rule with the pattern: (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions.
10. Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.
NOTE: Should you need to change/adjust any rule. Please delete and recreate it.
Disable Remote PowerShell Access for Non-Admins
Microsoft are also strongly recommending to disable remote PowerShell access for non-admin users in your Exchange organization. See here for more information.
Detection and Advanced Hunting
For detection and advanced hunting guidance, please refer to the following article: Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 – Microsoft Security Blog