Two New Post-Auth 0-Day Vulnerabilities Affecting Microsoft Exchange Servers

Summary

Two post-auth 0-day vulnerabilities were discovered in the latest version of the MS Exchange servers.The vulnerabilities are tagged CVE-2022-41040 (SSRF) and CVE-2022-41082 (RCE).
 
Category: Vulnerability Intelligence Vulnerability Class: Post-Auth SSRF, RCE CVE ID: CVE-2022-41040 CVE-2022-41082 CVSS:3.0 Score: 8.8 6.3

Executive Summary

THREAT IMPACT MITIGATION
  • Two post-auth 0-day vulnerabilities discovered in the latest version of the MS Exchange servers.
  • The vulnerabilities are tagged CVE-2022-41040 (SSRF) and CVE-2022-41082 (RCE).
  • CVE-2022-41040 enables an authenticated attacker to trigger CVE-2022-41082.
  • The vulnerability can allow threat actors to gain initial access to an organization’s systems/network and conduct further exploitation.
  • Follow the latest guidance from Microsoft until a security patch is released. Microsoft Guidance

Technical Analysis

  • Security company GTSC identified exploitation attempts in Microsoft IIS Server logs for a client.
  • Internet Information Services (IIS) is an adaptable and secure web server for hosting anything on the Internet.
  • The exploit requests were very similar to the requests previously used to exploit the ProxyShell vulnerability.
  • Investigation by the GTSC team confirmed the presence of two post-auth 0-day vulnerabilities in the latest version of Microsoft Exchange servers.
  • The vulnerabilities have been submitted to the Zero Day Initiative (ZDI) and assigned the following IDs:
    • ZDI-CAN-18333
    • ZDI-CAN-18802

About the Vulnerabilities

  • Microsoft assigned CVE-2022-41040 to the SSRF vulnerability and CVE-2022-41082 to the RCE vulnerability.
  • It is required for the attacker to have authenticated access to the vulnerable Exchange server to be able to exploit the vulnerabilities.
  • Exploitation of CVE-202-41040 is used to trigger the RCE vulnerability CVE-2022-41082.
  • As per Microsoft, CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker. It is however important to note that there are other methods to exploit the Exchange servers for RCE without Powershell.
  • Since the exploitation requires the attacker to be authenticated, techniques like credential stuffing attacks could be used to get authentication.
  • Bruteforcing email/domain usernames with commonly used passwords are observed as a common technique among attackers to gain access to Exchange servers.

Information from OSINT

  • As per Shodan, currently there are more than two hundred thousand active MS Exchange servers.
Screenshot of the Shodan search results for active MS Exchange servers
Screenshot of the Shodan search results for active MS Exchange servers
 

Possible Impact

  • By exploiting this vulnerability, threat actors can gain remote control of MS Exchange servers.
  • The above access can be exploited for the following:
    • Executing commands
    • Privilege escalation
    • Downloading malicious files
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, install botnets and maintain persistence.

Mitigation Measures

Note: These Mitigations have been sourced from the guidance released by Microsoft On-premises Microsoft Exchange customers should review and apply the following “URL Rewrite” instructions and block any exposed Remote PowerShell ports.
    • Open the IIS Manager
    • Expand the Default Web Site
    • Select Autodiscover
    • In the Feature View, click URL Rewrite
    • Click on the Add Rules option available in the Actions pane.
    • Select Request Blocking and click OK
    • Add string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK
    • Expand and select the rule with the pattern “.*autodiscover\.json.*\@.*Powershell.*”
    • Click Edit under Conditions
    • Change the condition input from {URL} to {REQUEST_URI}
  • Refer to the Appendix section for the screenshots describing the above steps.
  • There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
  • Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will also be able to trigger RCE using CVE-2022-41082. Blocking the following ports used for Remote PowerShell can limit these attacks.
    • HTTP: 5985
    • HTTPS: 5986

Indicators of Compromise

Note: These IOCs are from the attack detected by the GTSC team.
SHA256 Hashes
c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
URL
hxxp://206[.]188[.]196[.]77:8080/themes[.]aspx
IP Address
125[.]212[.]220[.]48 104[.]244[.]79[.]6 86[.]48[.]12[.]64 94[.]140[.]8[.]48
5[.]180[.]61[.]17 112[.]118[.]48[.]186 212[.]119[.]34[.]11 94[.]140[.]8[.]113
47[.]242[.]39[.]92 122[.]155[.]174[.]188 103[.]9[.]76[.]211 103[.]9[.]76[.]208
61[.]244[.]94[.]85 125[.]212[.]241[.]134 185[.]220[.]101[.]182 194[.]150[.]167[.]88
86[.]48[.]6[.]69

References

Appendix

Vulnerabilities listed on ZDI website
Vulnerabilities listed on ZDI website
 
Screenshot of the Microsoft IIS Server logs containing the URL Rewrite option
Screenshot of the Microsoft IIS Server logs containing the URL Rewrite option
 
Screenshot of the Add Rules option present in the Actions pane of the URL Rewrite
Screenshot of the Add Rules option present in the Actions pane of the URL Rewrite
 
Screenshot of the Request Blocking option present in the Add Rules dialogue box
Screenshot of the Request Blocking option present in the Add Rules dialogue box
 
Screenshot of adding the string in the Pattern (URL Path) data field
Screenshot of adding the string in the Pattern (URL Path) data field
 
Screenshot of the Pattern selection
Screenshot of the Pattern selection
 
Screenshot of the Condition input being changed to {REQUEST_URL}
Screenshot of the Condition input being changed to {REQUEST_URL}
 

Table of Contents

Request an easy and customized demo for free