Lucene search

K
thnThe Hacker NewsTHN:6B72050A86FFDCE9A0B2CF6F44293A1B
HistorySep 30, 2022 - 9:01 a.m.

Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild

2022-09-3009:01:00
The Hacker News
thehackernews.com
141
microsoft
zero-day vulnerabilities
exchange server 2013
exchange server 2016
exchange server 2019
ssrf vulnerability
remote code execution
powershell
in-the-wild exploitation
targeted attacks
exploit chain
iis manager
mitigation
exchange online customers.

EPSS

0.947

Percentile

99.3%

Exchange Zero-Day Flaws

Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation.

“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” the tech giant said.

The company also confirmed that it’s aware of “limited targeted attacks” weaponizing the flaws to obtain initial access to targeted systems, but emphasized that authenticated access to the vulnerable Exchange Server is required to achieve successful exploitation.

The attacks detailed by Microsoft show that the two flaws are stringed together in an exploit chain, with the SSRF bug enabling an authenticated adversary to remotely trigger arbitrary code execution.

The Redmond-based company further emphasized that it’s working on an “accelerated timeline” to push a fix, while urging on premises Microsoft Exchange customers to add a blocking rule in IIS Manager as a temporary workaround to mitigate potential threats.

It’s worth noting that Microsoft Exchange Online Customers are not affected. The steps to add the blocking rule are as follows -

  1. Open the IIS Manager
  2. Expand the Default Web Site
  3. Select Autodiscover
  4. In the Feature View, click URL Rewrite
  5. In the Actions pane on the right-hand side, click Add Rules
  6. Select Request Blocking and click OK
  7. Add String “.autodiscover\.json.@.Powershell.” (excluding quotes) and click OK
  8. Expand the rule and select the rule with the Pattern “.autodiscover\.json.@.Powershell.” and click Edit under Conditions
  9. Change the condition input from {URL} to {REQUEST_URI}

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.