Gabi StapelIMPERVABLOG:2303181B17E64D6C752ACD64C5A2B39CMicrosoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
On September 29, Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. The vulnerabilities allow remote code execution (RCE) when used in tandem. It is important to note that both require authenticated access to the desired server before exploitation. Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10, respectively.
According to researchers, CVE-2022-41082 is closely related to the ProxyShell vulnerability from 2021, CVE-2021-34473. The request string disclosed from the recent exploit is identical to that of last yearโs vulnerability, and the mitigation provided by Microsoft is the same as well.
Imperva Threat Research has observed considerable related attacker activity targeting last yearโs ProxyShell vulnerability (CVE-2021-34473) recently. Threat Research rules and policies may also be picking up attacks targeting the new exploits (CVE-2022-41040 and CVE-2022-41082).
GTSC, the company who discovered these vulnerabilities in August, believes that a Chinese threat actor may be behind the attacks observed so far. Per GTSC, the attacks include a Chinese character encoding and the China Chopper webshell for persistent remote access, which is a backdoor commonly used by likely state-sponsored Chinese hacking groups.
Given existing blocking rules that mitigate the CVE-2021-34473 proxyshell vulnerabilities, these new CVEs are mitigated out of the box by both Imperva Cloud WAF and WAF Gateway. If customers wish to implement a manual mitigation based on the advisory from Microsoft, it can be found here. Microsoft noted that the CVEs only impact on-premise Exchange servers, so Exchange Online Customers do not currently need to take any action.
As always, Impervaโโ Threat Research continues to monitor the situation and will provide updates as new information emerges.
The post Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082 appeared first on Blog.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C