Lucene search

K
impervablogGabi StapelIMPERVABLOG:2303181B17E64D6C752ACD64C5A2B39C
HistorySep 30, 2022 - 4:47 p.m.

Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082

2022-09-3016:47:34
Gabi Stapel
www.imperva.com
1891
zero-day vulnerabilities
remote code execution
proxyshell
rce
chinese threat actor
attack campaign
microsoft exchange server
imperva
trend micro
threat research
security advisory.

EPSS

0.973

Percentile

99.9%

On September 29, Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. The vulnerabilities allow remote code execution (RCE) when used in tandem. It is important to note that both require authenticated access to the desired server before exploitation. Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10, respectively.

According to researchers, CVE-2022-41082 is closely related to the ProxyShell vulnerability from 2021, CVE-2021-34473. The request string disclosed from the recent exploit is identical to that of last year’s vulnerability, and the mitigation provided by Microsoft is the same as well.

Imperva Threat Research has observed considerable related attacker activity targeting last year’s ProxyShell vulnerability (CVE-2021-34473) recently. Threat Research rules and policies may also be picking up attacks targeting the new exploits (CVE-2022-41040 and CVE-2022-41082).

GTSC, the company who discovered these vulnerabilities in August, believes that a Chinese threat actor may be behind the attacks observed so far. Per GTSC, the attacks include a Chinese character encoding and the China Chopper webshell for persistent remote access, which is a backdoor commonly used by likely state-sponsored Chinese hacking groups.

Given existing blocking rules that mitigate the CVE-2021-34473 proxyshell vulnerabilities, these new CVEs are mitigated out of the box by both Imperva Cloud WAF and WAF Gateway. If customers wish to implement a manual mitigation based on the advisory from Microsoft, it can be found here. Microsoft noted that the CVEs only impact on-premise Exchange servers, so Exchange Online Customers do not currently need to take any action.

As always, Imperva​​ Threat Research continues to monitor the situation and will provide updates as new information emerges.

The post Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082 appeared first on Blog.