ENGLISH Search Menu
Alerts & News Security Alerts Security News

SECURITY ALERTS

Multiple Vulnerabilities (CVE-2022-41040 and CVE-2022-41082) Exists in Microsoft Exchange Server Allow for Arbitrary Code Execution

DESCRIPTION:
A high-risk vulnerability exists in the Microsoft Exchange Server called ProxyNitShell. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. An attacker can bypass authentication and elevate privileges by connecting two vulnerabilities, then can execute code arbitrarily.

 

AFFECTED RELEASES:
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 22、23
Microsoft Exchange Server 2019 Cumulative Update 11、12

 

SOLUTION:
1. Microsoft has not released any update for two vulnerabilities at present. Users and system administrators are recommended to assess whether to take mitigation by the following steps:
(1) Open IIS Manager
(2) Select Default Web Site
(3) In the Feature View, click URL Rewrite
(4) In the Actions pane on the right-hand side, click Add Rule(s)…
(5) Select Request Blocking and click OK
(6) Add the string ".*autodiscover\.json.*Powershell.*" (excluding quotes)
(7) Select Regular Expression under Using
(8) Select Abort Request under How to block and then click OK
(9) Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions
(10) Change the Condition input from {URL} to {REQUEST_URI}
P.S. If need to change any rules, it is recommended to delete existing rules and recreate them.
2. Please continue to pay attention to Microsoft’s official information and install the patch as soon as possible after it is released.

 

REFERENCE:
1. https://thehackernews.com/2022/10/mitigation-for-exchange-zero-days.html?m=1
2. https://www.ithome.com.tw/news/153387
3. https://www.ithome.com.tw/news/153457
4. https://nvd.nist.gov/vuln/detail/CVE-2022-41040
5. https://nvd.nist.gov/vuln/detail/CVE-2022-41082
6. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41040
7. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082
8. https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
9. https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
 

 Back To Top