Skip to main content

Exchange Zero Day Vulnerabilities being exploited in the wild - CVE-2022-41040 & CVE-2022-41082

dips
Forum|alt.badge.img+7
  • dips
  • Veeam Legend
  • 808 comments

For those of you who still run Exchange on-prem, there are 2 zero days currently being exploited in the wild:

CVE-2022-41040: A Server Side Request Forgery (SSRF) issue. 
CVE-2022-41082: A remote code execution (RCE) issue.

No information on when there will be a patch. 

To mitigate, add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions”

  • “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes)

More guidance here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader

9 comments

Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8512 comments
  • September 30, 2022

Thanks for sharing this.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Chris.Childerhose
BertrandFR
Iams3le
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • BertrandFR
    BertrandFR
  • Iams3le
    Iams3le
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • September 30, 2022

No problem, mitigating the issue is simple.

Following ports can also be blocked:

  • HTTP: 5985 
  • HTTPS: 5986 
Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
BertrandFR
Iams3le
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • BertrandFR
    BertrandFR
  • Iams3le
    Iams3le
Iams3le
Forum|alt.badge.img+11
  • Iams3le
  • Veeam Legend
  • 1394 comments
  • October 1, 2022

Thanks for sharing @dips

[Microsoft MVP | Veeam Legend (2021 -2025) | VMware vExpert 5x | Cisco Champion 3x | Object First Ace 2x]
Chris.Childerhose
BertrandFR
dips
4 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • BertrandFR
    BertrandFR
  • dips
    dips
  • Link State
    Link State
Iams3le
Forum|alt.badge.img+11
  • Iams3le
  • Veeam Legend
  • 1394 comments
  • October 1, 2022

Since I do not wanted to create a new post on this topic, here is a blogpost of all that needs to be done until the patches are released: https://techdirectarchive.com/2022/10/01/cve-2022-41040-and-cve-2022-41082-workaround-for-a-zero-day-vulnerability-on-microsoft-exchange-server/

[Microsoft MVP | Veeam Legend (2021 -2025) | VMware vExpert 5x | Cisco Champion 3x | Object First Ace 2x]
Chris.Childerhose
BertrandFR
dips
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • BertrandFR
    BertrandFR
  • dips
    dips
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • October 1, 2022

Microsoft have published an analysis here:

https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

In Addition, if using Microsoft 365 Defender, there are some advanced hunting queries that can be utilised:

Suspicious files in Exchange Directories:

DeviceFileEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath has "FrontEnd\\HttpProxy\\"
| where InitiatingProcessCommandLine contains "MSExchange"
| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp

Chopper Web Shell Activity: 

DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where ProcessCommandLine has_any ("&ipconfig&echo", "&quser&echo", "&whoami&echo", "&c:&echo", "&cd&echo", "&dir&echo", "&echo [E]", "&echo [S]")

 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
Link State
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Link State
    Link State
regnor
Forum|alt.badge.img+14
  • regnor
  • Veeam MVP
  • 1354 comments
  • October 1, 2022

Thanks for posting this here @dips I wanted to fo the same but didn't find time yesterday.

Blocking the ports isn't enough in this case. You would have to implement the redirect/blocking rule in order to prevent any attacks. The good news is that Microsoft has pushed a mitigation via the Emergency Mitigation Service yesterday:

https://techcommunity.microsoft.com/t5/exchange-team-blog/customer-guidance-for-reported-zero-day-vulnerabilities-in/ba-p/3641494

Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
Chris.Childerhose
MicoolPaul
BertrandFR
5 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • MicoolPaul
    MicoolPaul
  • BertrandFR
    BertrandFR
  • dips
    dips
  • Iams3le
    Iams3le
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • October 1, 2022

No problem @regnor 

Thanks for the link. Looks like Microsoft will probably end up changing their guidance a few more times until they work out the final details but glad they have pushed a mitigation out in the meanwhile. 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
BertrandFR
Iams3le
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • BertrandFR
    BertrandFR
  • Iams3le
    Iams3le
Iams3le
Forum|alt.badge.img+11
  • Iams3le
  • Veeam Legend
  • 1394 comments
  • October 2, 2022
regnor wrote:

Thanks for posting this here @dips I wanted to fo the same but didn't find time yesterday.

Blocking the ports isn't enough in this case. You would have to implement the redirect/blocking rule in order to prevent any attacks. The good news is that Microsoft has pushed a mitigation via the Emergency Mitigation Service yesterday:

https://techcommunity.microsoft.com/t5/exchange-team-blog/customer-guidance-for-reported-zero-day-vulnerabilities-in/ba-p/3641494

I agree with you on this because, those are just the WinRM config transport port for HTTP/HTTPS. The only temporary fix is the workaround suggested by the security researchers to have the redirect blocking rule implemented.

In my guide, I included rules to see if you have been compromised!

[Microsoft MVP | Veeam Legend (2021 -2025) | VMware vExpert 5x | Cisco Champion 3x | Object First Ace 2x]
Chris.Childerhose
BertrandFR
Link State
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • BertrandFR
    BertrandFR
  • Link State
    Link State
Iams3le
Forum|alt.badge.img+11
  • Iams3le
  • Veeam Legend
  • 1394 comments
  • October 2, 2022
dips wrote:

No problem @regnor 

Thanks for the link. Looks like Microsoft will probably end up changing their guidance a few more times until they work out the final details but glad they have pushed a mitigation out in the meanwhile. 

Exactly! This continue to change, and the change will be transparent as the mrsc-blog post will be updated with new information. 

[Microsoft MVP | Veeam Legend (2021 -2025) | VMware vExpert 5x | Cisco Champion 3x | Object First Ace 2x]
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose

Comment


Terms & Conditions