Lucene search

K
thnThe Hacker NewsTHN:5293CFD6ACCF7BFD2EDDE976C7C06C15
HistoryOct 05, 2022 - 5:31 a.m.

Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds

2022-10-0505:31:00
The Hacker News
thehackernews.com
219

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Mitigation for Exchange Zero-Days

Microsoft has revised its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed.

The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed ProxyNotShell due to similarities to another set of flaws called ProxyShell, which the tech giant resolved last year.

In-the-wild attacks abusing the shortcomings have chained the two flaws to gain remote code execution on compromised servers with elevated privileges, leading to the deployment of web shells.

The Windows maker, which is yet to release a fix for the bugs, has acknowledged that a single state-sponsored threat actor may have been weaponizing the flaws since August 2022 in limited targeted attacks.

In the meantime, the company has made available temporary workarounds to reduce the risk of exploitation by restricting known attack patterns through a rule in the IIS Manager.

However, according to security researcher Jang (@testanull), the URL pattern can be easily circumvented, with senior vulnerability analyst Will Dormann noting that the block mitigations are “unnecessarily precise, and therefore insufficient.”

Mitigation for Exchange Zero-Days

Microsoft has since revised the URL Rewrite rule (also available as a standalone PowerShell script) to take this into account -

  • Open IIS Manager
  • Select Default Web Site
  • In the Feature View, click URL Rewrite
  • In the Actions pane on the right-hand side, click Add Rule(s)…
  • Select Request Blocking and click OK
  • Add the string “.*autodiscover\.json.Powershell.” (excluding quotes)
  • Select Regular Expression under Using
  • Select Abort Request under How to block and then click OK
  • Expand the rule and select the rule with the pattern: .*autodiscover\.json.Powershell. and click Edit under Conditions
  • Change the Condition input from {URL} to {REQUEST_URI}

It’s not immediately clear when Microsoft plans to push a patch for the two vulnerabilities, but it’s possible that they could be shipped as part of Patch Tuesday updates next week on October 11, 2022.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Related for THN:5293CFD6ACCF7BFD2EDDE976C7C06C15