Threat Research

Microsoft Exchange 0-Day Vulnerability Updates

By James Slaughter | September 30, 2022

On 28th September, 2022, the cybersecurity company GTSC released a blog detailing an exploit attempt on a system they were monitoring. After analysis, they were able to locate and submit two bugs to Microsoft via the Zero Day Initiative (ZDI-CAN-18333 (CVSS 8.8) and ZDI-CAN-18802 (CVSS 6.3)). Microsoft validated the findings and CVE-2022-41040 and CVE-2022-41082 were assigned to the vulnerabilities.

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 allows for remote code execution (RCE) where PowerShell is available.

This blog describes what you need to know about these vulnerabilities.

Affected Platforms: On premises Microsoft Exchange Server 2013, 2016, and 2019
Impacted Users: Any organization that uses vulnerable version of Microsoft Exchange
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High

What is Microsoft Exchange?

Exchange is Microsoft’s email and calendaring server. First released in 1996 (as Exchange 4.0), its most recent version is Exchange 2019. It is available for installation on-premises or online using a Software-as-a-Service model (SaaS).

What versions of Microsoft Exchange are vulnerable?

  • On-premises Microsoft Exchange Server 2013
  • On-premises Microsoft Exchange Server 2016
  • On-premises Microsoft Exchange Server 2019

How are the vulnerabilities exploited?

It appears that the measures used to resolve the ProxyShell vulnerabilities (a collective name for three related Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) were not entirely successful.

As with that collection, these new vulnerabilities need to be chained in order to work. CVE-2022-41040 can be exploited using a GET query much like ProxyShell.

For example:

GET autodiscover/autodiscover.json?@evilinc.com/<Exchange-backend-
endpoint>&Email=autodiscover/autodiscover.json%3f@evilinc.com

The major difference between the two vulnerability sets is that authenticated access to the vulnerable Exchange Server is needed to successfully exploit the device. This may seem trivial at first, but credentials can easily and relatively inexpensively be bought off the darkweb.

Significance of Microsoft Exchange Vulnerabilities

Microsoft Exchange is widely used in enterprise environments and an unpatched vulnerability that could allow remote code execution by an attacker would pose significant risk to any exposed organization.

Have exploit attempts for CVE-2022-41040 and CVE-2022-41082 been observed in the wild?

Yes. Microsoft has reported that both vulnerabilities are being used in “limited and targeted” attacks. Also, as mentioned, GTSC initially discovered the vulnerabilities via direct observation of an intrusion.

Have these vulnerabilities been patched?

At the time of this writing (September 30, 2022), a patch has not been released. Microsoft has stated that one is being developed on an accelerated timeline.

Has the vendor provided any mitigations?

Yes, Microsoft has released the following mitigation procedure:

"The current mitigation is to add a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns."

To perform this action:

  1. Open the IIS Manager.
  2. Expand the Default Web Site.
  3. Select Autodiscover.
  4. In the Feature View, click URL Rewrite.
  5. In the Actions pane on the right-hand side, click Add Rules.
  6. Select Request Blocking and click OK.
  7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
  8. Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions.
  9. Change the condition input from {URL} to {REQUEST_URI}
 
Microsoft has also stated that blocking the following Remote PowerShell ports can limit the potential for attack attempts.
  • HTTP: 5985
  • HTTPS: 5986

Does Fortinet protect against exploit attempts?

Yes, Fortinet has updated existing signature sets to address this latest zero day. IPS signature “MS.Exchange.Server.Autodiscover.Remote.Code.Execution” blocks exploit attempts for both CVE-2022-41040 and CVE-2022-41082.

What are FortiGuard Outbreak Alerts?

FortiGuard Outbreak Alerts provide timely steps to mitigate breaking cybersecurity attacks. They communicate important information to Fortinet's customers and partners. Outbreak Alerts help customers understand what happened, the technical details of the attack and how organizations can protect themselves from the attack and others like it

Has Fortinet released any other publications regarding the Microsoft Exchange vulnerabilities?

Yes, Fortinet has released some additional material since this issue came to light. Below is the list of released publications:

Conclusion

Despite mitigating steps being available and the requirement for authentication, it would be unwise to underestimate the seriousness of these vulnerabilities. The easy availability of tools that can automatically scan the Internet for vulnerable servers means that affected machines become a very visible target.

FortiGuard Labs will continue to actively monitor the situation for further insights and provide additional information about protections as they become available.

Update 10/6 – Microsoft has provided updated mitigation guidance in their blog post.

Fortinet Protections

Fortinet customers running the latest definitions are protected from active exploitation of this 0-day through our IPS, FortiClient, FortiGate, FortiWeb,FortiSASE, FortiNDR, FortiADC, FortiProxyservices, and FortiGuard’s Web Filtering technologies:

The following IPS signature detects the activity mentioned in this blog:

MS.Exchange.Server.Autodiscover.Remote.Code.Execution

The WebFiltering client blocks all network-based URIs.

Network IOCs:

IP

125[.]212[.]220[.]48

5[.]180[.]61[.]17

47[.]242[.]39[.]92

61[.]244[.]94[.]85

86[.]48[.]6[.]69

86[.]48[.]12[.]64

94[.]140[.]8[.]48

94[.]140[.]8[.]113

103[.]9[.]76[.]208

103[.]9[.]76[.]211

104[.]244[.]79[.]6

112[.]118[.]48[.]186

122[.]155[.]174[.]188

125[.]212[.]241[.]134

185[.]220[.]101[.]182

194[.]150[.]167[.]88

212[.]119[.]34[.]11

 

URL

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

 

C2

137[.]184[.]67[.]33

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.