Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
trellixTrellixTRELLIX:2190FF6CC59F0018181B8146CC20B06D
HistoryNov 02, 2022 - 12:00 a.m.

The Bug Report October 2022 Edition

2022-11-0200:00:00
www.trellix.com
41
JSON

The Bug Report — October 2022 Edition

By Trellix · November 2, 2022
This story was written by Richard Johnson.

The Bug Report – October 2022 Edition Do ROP exploits count as jmp scares?

Why am I here?

Welcome back to the Bug Report: Spooky Edition, and we’ve got bugs crawling out of the walls! Of all the months we do this, we’ve found that critical CVEs feel most at home in October – the month heralding All Hallows’ Eve. They’re terrifying, bring promises of late nights, and they might even have your analysts looking like zombies by the end. Be sure to give those poor souls the full-sized candy bars – they’ve earned it.

For those in the audience unfamiliar with our shtick, every month we compile a shortlist of the top vulnerabilities of the month, so that they might whittle away at your last few hours of peaceful sleep.

Appropriately, this month is rich with Spooky Scary Shelletons:

  • CVE-2022-41040 + CVE-2022-41082 aka “ProxyNotShell”: Microsoft Exchange
  • CVE-2022-42889 aka “Text4Shell”: Apache Commons Text
  • Bring Your Own Vulnerable Driver (BYOVD) Mitigations Flaw: Windows

CVE-2022-41040, CVE-2022-41082: Exchanging tricks for treats

What is it?

Like candy corn nobody wants, Microsoft Exchange vulnerabilities continue to be tossed in our direction. This month we continue the year-long saga of ProxyLogon, ProxyOracle, and ProxyShell vulnerabilities that have plagued enterprise mail servers and add an additional two CVEs to the growing list. These bug variations are all based around an architectural flaw in Exchange which is basically built-in server-side request forgery (SSRF) by design. Not a good look but everyone is putting on a disguise this month, aren’t they?

Might need to go a ProxyDiet after this one Might need to go a ProxyDiet after this one

CVE-2022-41040 and CVE-2022-41082 were detected in the wild as zero-day exploitation by GTSC Cyber Security on September 29 and are now referred to collectively as ProxyNotShell. This combination of vulnerabilities results in remote code execution (RCE) similar to ProxyShell; however, it requires authentication to the Exchange mail server, access to the Outlook Web Access server application, and for the server to have Exchange PowerShell available, which has reduced the overall impact of these vulnerabilities. Despite these bugs being privately reported to ZDI back in August, Microsoft has not patched them as of this writing.

One element of these attacks is that Exchange must impersonate authentication tokens to access resources on behalf of the connected user. The attacks seen up until this point focus on using user authentication, either by forcing the system account to impersonate the user or requiring an authenticated user in the case of ProxyNotShell.

Who cares?

Any enterprise network deploying Microsoft Exchange should be paying close attention to this series of vulnerabilities. There is active in-the-wild exploitation now just as we have seen in the past for the previous variants. For these unpatched vulnerabilities see the mitigation guidance below.

While talking about ProxyNotShell, I would also like to highlight a related collection of bugs now referred to as ProxyRelay (CVE-2021-33768, CVE-2022-21979, and CVE-2021-26414), which were patched slowly and incrementally over the past year and only discussed in detail this month. This was a collection of three CVEs so far, and according to a blog post by the researcher Orange Tsai who found all of these Exchange vulnerabilities the past year, there is an additional flaw that has yet to be publicly disclosed or fixed by Microsoft. Ongoing exploitation and additional zero-day vulnerabilities in the remediation pipeline mean someone is playing necromancer and controlling a zombie army of mail servers – that’s taking the theatrics a bit too far if you ask me!

The fixes for these “Exchange Proxy” class of bugs have been partially implemented and bypassed by security researchers or guarded by registry keys and disabled by default for extended periods of time. Microsoft has also shipped these fixes via Content Updates (CU) instead of patches with security bulletins which is unusual and more likely to be missed by system administrators. Environments deploying multiple Exchange servers should be on the lookout for fixes for the currently undisclosed CVE that has been submitted to Microsoft. I hate to say it, but you’re likely going to have to watch these like you’re looking out for Mike Meyers on Halloween night.

What can I do?

This section is usually the easiest to write – the hardest part is trying to come up with a new way of writing “please patch” for the thousandth time. Not so this time around, as there is (currently) no patch available for these vulnerabilities.

That being said, Microsoft has provided guidance for implementing several mitigations, including an IIS URL Rewrite rule as well as disabling remote PowerShell for non-admins. Details of what to do follow the lengthy list of updates in the guidance. Please implement these mitigations, or risk threat actors creepy crawling all over your network!

To add some treats to this list of tricks, we are happy to report that Trellix customers are already covered through both our Intrusion Prevention System (IPS) and Network Security products. Trellix IPS provides coverage for both vulnerabilities as of release 10.9.37.6 via attack ID 0x45298B00, while those using Trellix Network Security are covered for CVE-2022-41082 via the rule “Microsoft Exchange Server CVE-2022-41082 Remote Code Execution.”

CVE-2022-42889: A patch for Apache’s latest Java “4Shell”

What is it?

Sticking with the theme of long series of vulnerabilities with similar branding, we have a new Apache Commons vulnerability going by the name Text4Shell and being tracked as CVE-2022-42889. Text4Shell is another Java deserialization vulnerability that can lead to RCE, this time in the Apache Commons Text library’s string interpolation functions.

It’s like déjà vu all over again It’s like déjà vu all over again

These functions provide an API for converting strings via “Lookup” objects that automatically perform some action on deserialization. Specifically, if the Apache Commons Text StringSubstitutor object is instantiated with default options and used to replace text on a user supplied string, an attacker can leverage the URL, DNS, or SCRIPT property interpolation functionality to execute arbitrary code or leak information about the network.

Who cares?

Java is one of the top 3 most used programming languages and Java deserialization has been one of the top bug classes exploited by attackers since it was discovered in the mid-2000s, so it should come as no surprise that this is an area that needs active and continuous monitoring for vulnerabilities. As if Freddy Kreuger is clicking his blades behind the scenes, Java deserialization vulnerabilities are a nightmare we can’t seem to wake up from.

What can I do?

This vulnerability has been patched in Apache Commons Text version 1.10 which can be retrieved from their website. Unlike razor blades in candy bars, this poses a real threat, so get to patching ASAP.

Fortunately, this API is not used on the scale of Log4j, with the official Maven Repository showing only 2602 projects import Apache Commons Text and the majority of those are not passing unsanitized user-controlled strings to the StringSubstitutor API. That said, businesses that develop Java code should be looking for any use for the Apache Commons Text library versions 1.5 - 1.9 which are known to be vulnerable.

Despite our jokes about late nights, Trellix customers can rest a bit easier, as they are covered via Trellix Network Security rule “Apache Commons Text String CVE-2022-42889 RCE.” For those using Trellix IPS, coverage is also available as a User-Defined Signature (UDS) via attack ID 0x452B8B00, included as part of the November 1st signature set. No need to go door-to-door knocking for these treats.

A ghost says BYOVD

You gotta say it with your chest You gotta say it with your chest

What is it?

For our last subject this month, I want to highlight an ongoing discussion between Microsoft and the security research community regarding a broken mitigation that is now being leveraged by threat actors such as Lazarus in “bring your own vulnerable driver” attacks. Attackers use this method to pivot to kernel after already gaining local access as a way of avoiding detection and maintaining long term control of the system. This issue came to the forefront via Twitter discussions (if such a thing is even possible on Twitter) and a following Ars Technica article this month titled “How a Microsoft blunder opened millions of PCs to potent malware attacks,” which detailed a problem with Microsoft’s advertised security feature that prevents loading of known-vulnerable signed drivers. The problem is that the list of known vulnerable drivers has not been updated since release in 2019 and the existing block list contained as few as two drivers, making for a fairly lonely stage at the security theater.

Meanwhile, Microsoft has asserted this block list would be automatically updated via Windows Update. Without this protection, threat actors have been leveraging outdated vulnerable signed OEM drivers to pivot to the kernel to hide from system monitoring software. In addition to the block list, Windows Defender Attack Surface Reduction (ASR) rule “Block abuse of exploited vulnerable signed drivers” is also reported to be ineffective at preventing the installation of these drivers.

Who cares?

While this issue differs from our typical Bug Report entries in that it constitutes a post-exploitation attack, it is nonetheless important to be aware of in an enterprise context where post-exploitation persistence is a real concern and threat actors like Lazarus are known to target. The block list was not previously disclosed, and Attack Surface Reduction based blocking may not be functioning as advertised, so there was a false sense of security around the level of protection being offered. Turns out that coverage was as useful as a shower curtain against a kitchen knife.

What can I do?

Microsoft has updated their documentation regarding driver block rules. The updates clarify they only intend to ship new rules with major OS updates and not on a continuous basis. They have also said they will ship an updated list to Windows 10 systems soon™. In addition, they have added guidance for enabling driver blocking using Windows Defender Application Control (WDAC) policies which does not require HVCI and may be usable on a wider range of hardware. Administrators can manually download the latest driver block rules and follow Microsoft’s guidance to enable one of the three different methods for blocking drivers. Due to the uncertainty around the functioning of these security controls, I recommend testing your blocking configuration on your network to make sure it works if possible. Fool me once, as they say.

_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _

Related

trellix 1
qualysblog 2
talosblog 4
thn 8
attackerkb 2
cert 1
krebs 1
hackread 1
malwarebytes 3
msrc 4
mssecure 1
nessus 5
rapid7blog 4
packetstorm 2
cisa_kev 2
checkpoint_advisories 2
wordfence 1
cisa 1
hivepro 1
mmpc 1
kaspersky 1
metasploit 2
akamaiblog 1
impervablog 2
prion 6
ics 1
cve 5
mscve 5
securelist 1
hackerone 1
githubexploit 64
mskb 2
zdi 32
cnvd 3
redos 1
ibm 8
osv 2
gentoo 1
atlassian 5
wallarmlab 1
veracode 1
zdt 1
redhatcve 1
paloalto 1
debiancve 1
ubuntucve 1
github 1
openvas 1
trellix
trellix
The Bug Report October 2022 Edition
2022-11-02 00:00:00
qualysblog
qualysblog
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform
2022-09-30 23:25:55
CVE-2022-42889: Detect Text4Shell via Qualys Container Security
2022-10-25 21:55:05
talosblog
talosblog
Threat Source newsletter (Oct. 6, 2022) — Continuing down the Privacy Policy rabbit hole
2022-10-06 18:00:00
Threat Source newsletter (Oct. 6, 2022) — Continuing down the Privacy Policy rabbit hole
2022-10-06 18:00:00
Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
2022-09-30 21:16:00
thn
thn
State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations
2022-10-01 06:36:00
Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds
2022-10-05 05:31:00
Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities
2022-10-08 05:13:00
attackerkb
attackerkb
CVE-2022-41082
2022-10-03 00:00:00
CVE-2022-41040
2022-10-03 00:00:00
cert
cert
Microsoft Exchange vulnerable to server-side request forgery and remote code execution.
2022-10-03 00:00:00
krebs
krebs
Microsoft: Two New 0-Day Flaws in Exchange Server
2022-09-30 16:51:57
hackread
hackread
Microsoft Confirms Two 0-Days Being Exploited Against Exchange Servers
2022-09-30 17:56:35
malwarebytes
malwarebytes
[updated]Two new Exchange Server zero-days in the wild
2022-09-30 13:00:00
Rackspace confirms it suffered a ransomware attack
2022-12-08 12:00:00
Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected
2022-10-12 17:45:00
msrc
msrc
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
2022-09-30 06:55:00
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
2022-09-30 07:00:00
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
2022-09-30 07:00:00
mssecure
mssecure
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
2022-10-01 04:21:00
nessus
nessus
Microsoft Exchange Server October 2022 Zero-day Vulnerabilities (ProxyNotShell)
2022-10-05 00:00:00
Potential exposure to Microsoft Exchange CVE-2022-41040 / CVE-2022-41082 Exploit
2022-10-03 00:00:00
KB5004442: Windows DCOM Server Security Feature Bypass Registry Check (CVE-2021-26414)
2023-01-25 00:00:00
rapid7blog
rapid7blog
CVE-2022-41040 and CVE-2022-41082: Unpatched Zero-Day Vulnerabilities in Microsoft Exchange Server
2022-09-29 20:50:50
Metasploit Weekly Wrap-Up
2022-12-02 21:00:13
Rapid7’s Impact from Apache Commons Text Vulnerability (CVE-2022-42889)
2022-11-04 13:00:00
packetstorm
packetstorm
Microsoft Exchange ProxyNotShell Remote Code Execution
2022-11-30 00:00:00
Apache Commons Text 1.9 Remote Code Execution
2024-01-19 00:00:00
cisa_kev
cisa_kev
Microsoft Exchange Server Remote Code Execution Vulnerability
2022-09-30 00:00:00
Microsoft Exchange Server Server-Side Request Forgery Vulnerability
2022-09-30 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Exchange Server Remote Code Execution (CVE-2022-41082; CVE-2022-41040)
2022-10-03 00:00:00
Apache Commons Text Remote Code Execution (CVE-2022-42889)
2022-10-18 00:00:00
wordfence
wordfence
Two Weeks of Monitoring ProxyNotShell (CVE-2022-41040 & CVE-2022-41082) Threat Activity
2022-10-19 16:01:59
cisa
cisa
Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server
2022-09-30 00:00:00
hivepro
hivepro
Unpatched zero-day vulnerabilities of Microsoft Exchange Server
2022-09-30 10:21:56
mmpc
mmpc
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
2022-10-01 04:21:00
kaspersky
kaspersky
KLA19264 Multiple vulnerabilities in Microsoft Exchange Server
2022-09-30 00:00:00
metasploit
metasploit
Microsoft Exchange ProxyNotShell RCE
2022-11-18 22:00:27
Apache Commons Text RCE
2023-12-24 19:13:50
akamaiblog
akamaiblog
Akamai?s Response to Zero-Day Vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082)
2022-10-03 09:00:00
impervablog
impervablog
Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082
2022-09-30 16:47:34
Apache Commons Text vulnerability CVE-2022-42889
2022-10-18 18:30:39
prion
prion
Privilege escalation
2021-07-14 18:15:00
Information disclosure
2022-08-09 20:15:00
Privilege escalation
2022-10-03 01:15:00
ics
ics
#StopRansomware: Play Ransomware
2023-12-18 12:00:00
cve
cve
CVE-2021-33768
2021-07-14 18:15:00
CVE-2022-21979
2022-08-09 20:15:00
CVE-2021-26414
2021-06-08 23:15:00
mscve
mscve
Microsoft Exchange Server Elevation of Privilege Vulnerability
2021-07-13 07:00:00
Microsoft Exchange Server Information Disclosure Vulnerability
2022-08-09 07:00:00
Windows DCOM Server Security Feature Bypass
2021-06-08 07:00:00
securelist
securelist
CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange
2022-12-19 16:15:49
hackerone
hackerone
Acronis: mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040
2022-10-02 08:47:22
githubexploit
githubexploit
Exploit for Improper Privilege Management in Microsoft
2022-10-20 22:14:04
Exploit for Improper Privilege Management in Microsoft
2022-10-06 22:16:30
Exploit for Improper Privilege Management in Microsoft
2022-10-04 03:50:10
mskb
mskb
Security update 2021-06-08
2021-06-08 07:00:00
KB5023787: Servicing stack update for Windows 10: March 14, 2023
2021-06-08 07:00:00
zdi
zdi
Microsoft Exchange FormattedTextWriterTraceListener Exposed Dangerous Function Denial-of-Service Vulnerability
2022-11-22 00:00:00
Microsoft Exchange TraceFile Exposed Dangerous Function Information Disclosure Vulnerability
2022-11-22 00:00:00
Microsoft Exchange FileLog Exposed Dangerous Function Denial-of-Service Vulnerability
2022-11-22 00:00:00
cnvd
cnvd
Microsoft Exchange Server Elevation of Privilege Vulnerability (CNVD-2022-67837)
2022-10-08 00:00:00
Microsoft Exchange Server Remote Code Execution Vulnerability (CNVD-2022-67838)
2022-10-08 00:00:00
Apache Commons Text remote code execution vulnerability
2022-10-14 00:00:00
redos
redos
ROS-20230922-01
2023-09-22 00:00:00
ibm
ibm
Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to remote code execution due to Apache Commons Text (CVE-2022-42889)
2022-11-22 07:56:05
Security Bulletin: Apache Commons Text as used by IBM Cloud Pak for Security is vulnerable to code execution [CVE-2022-42889]
2022-11-22 15:22:26
Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to remote code execution due to Apache Commons Text [CVE-2022-42889]
2022-11-28 16:28:57
osv
osv
Arbitrary code execution in Apache Commons Text
2022-10-13 19:00:17
CVE-2022-42889
2022-10-13 13:15:10
gentoo
gentoo
Apache Commons Text: Arbitrary Code Execution
2023-01-11 00:00:00
atlassian
atlassian
Upgrade Apache Commons-text to mitigate CVE-2022-42889 (excludes bundled OpenSearch)
2022-10-24 22:35:59
Upgrade Apache Commons-text for CVE-2022-42889
2022-11-07 20:21:30
Upgrade Apache Commons-text for CVE-2022-42889
2022-11-10 17:03:03
wallarmlab
wallarmlab
New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889
2022-10-18 05:02:38
veracode
veracode
Arbitrary Code Execution
2022-10-14 18:57:11
zdt
zdt
Apache Commons Text 1.9 Remote Code Execution Exploit
2024-01-21 00:00:00
redhatcve
redhatcve
CVE-2022-42889
2022-10-17 16:42:02
paloalto
paloalto
Impact of Apache Text Commons Vulnerability CVE-2022-42889
2022-11-09 17:00:00
debiancve
debiancve
CVE-2022-42889
2022-10-13 13:15:00
ubuntucve
ubuntucve
CVE-2022-42889
2022-10-13 00:00:00
github
github
Arbitrary code execution in Apache Commons Text
2022-10-13 19:00:17
openvas
openvas
Apache Commons Text 1.5 - 1.9 RCE Vulnerability (Text4Shell)
2022-11-25 00:00:00
JSON
Related for TRELLIX:2190FF6CC59F0018181B8146CC20B06D
trellix1qualysblog2talosblog4thn8attackerkb2cert1krebs1hackread1malwarebytes3msrc4mssecure1nessus5rapid7blog4packetstorm2cisa_kev2checkpoint_advisories2wordfence1cisa1hivepro1mmpc1kaspersky1metasploit2akamaiblog1impervablog2prion6ics1cve5mscve5securelist1hackerone1githubexploit64mskb2zdi32cnvd3redos1ibm8osv2gentoo1atlassian5wallarmlab1veracode1zdt1redhatcve1paloalto1debiancve1ubuntucve1github1openvas1