8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.966 High
EPSS
Percentile
99.6%
Microsoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server.
Microsoft Exchange Server’s Autodiscover service is a web service widely available to any Microsoft Exchange Web Services (EWS) client. Since Microsoft Exchange version 2016, the Autodiscover service has become an integral part of the Microsoft Exchange system, and it is no longer independently provided by a Client Access server. The Autodiscover service and a number of other privileged mailbox services are hosted on the default Internet Information Services server running on the Mailbox server.
Cybersecurity company GTSC observed an abuse of the Autodiscover service in August of 2022 using a crafted URL SSRF attack, similar to the earlier ProxyShell vulnerability reported in August 2021. The observed attack appears to have implemented CVE-2022-41040 to gain privileged access and CVE-2022-41082 to perform remote code execution via PowerShell. Microsoft Security Research Center has acknowledged the vulnerability and provided guidance for mitigation. The guidance highlights that Microsoft Exchange Online customers will be provided with detection and mitigation defenses automatically from Microsoft’s managed Infrastructure, informing them of any attempts to exploit these vulnerabilities.
An authenticated remote attacker can perform SSRF attacks to escalate privileges and execute arbtirary PowerShell code on vulnerable Microsoft Exchange servers. As the attack is targeted against Microsoft Exchange Mailbox server, the attacker can potentially gain access to other resources via lateral movement into Exchange and Active Directory environments.
Microsoft has provided guidance in their recent blog post to address the issue. Note that Microsoft has updated their guidance for the Option 3 Step 6 with the URL filter to be .*autodiscover\.json.Powershell. (excluding the @ symbol) instead of the earlier .autodiscover\.json.@.Powershell.. The recommended block pattern is a regular expression suggested by Jang to prevent known variants of the #ProxyNotShell attacks. Microsoft further updated their advisory on October 8th suggesting Condition Input should be changed from {URL} to {UrlDecode:{REQUEST_URI}} to ensure all encoded variations are evaluated before being blocked.
As of October 3, 2022, there is no patch available to mitigate this issue. It is recommended that Microsoft Exchange administrators stay on alert for any advisory or patch released by Microsoft. Note the latest security updates from Microsoft on October 11th do not address the vulnerabilities highlighted here. Even with the workaround in place, many on-premise Microsoft Exchange instances remain at risk until Microsoft provides a patch and the patch has been applied.
On November 8th 2022, Microsoft has provided fixes as part of their Patch Tuesday rollout, see updated Microsoft’s guidance at CVE-2022-41082 and CVE-2022-41040.
Exchange Administrators who use third-party Web Application Firewall (WAF) products can implement the recommended URL filters and blocks as part of their WAF policy.
Exchange Administrators can limit the outgoing connection from the Exchange Mailbox server using specific allowed list on an outgoing proxy to limit suspicious web requests.
This document was written by Vijay Sarvepalli.
915563
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2022-10-03 Updated: 2022-10-03 CVE-2022-41040 | Unknown |
---|---|
CVE-2022-41082 | Unknown |
We have not received a statement from the vendor.
Notified: 2022-10-03 Updated: 2022-10-04 CVE-2022-41040 | Unknown |
---|---|
CVE-2022-41082 | Unknown |
We have not received a statement from the vendor.
CVE IDs: | CVE-2022-41040 CVE-2022-41082 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2022-10-03 Date First Published: |
doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9
msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040
msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082
rw.md/2022/11/09/ProxyNotRelay.html
www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.966 High
EPSS
Percentile
99.6%