Rewterz Threat Update – Microsoft Updates Mitigation for Exchange Server Zero-Days

Severity

High

Analysis Summary

Last week Microsoft verified that two zero-day vulnerabilities in Microsoft Exchange discovered by GTSC researchers are being actively exploited in the wild.
The IT giant has promptly started the investigation into the two zero-day vulnerabilities that impacts Microsoft Exchange Server 2013, 2016, and 2019. 

CVE-2022-41040 & CVE-2022-41082 (ProxyNotShell)

The first flaw, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) issue. The second vulnerability, tracked as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Successful exploitation of the CVE-2022-41040 can allow an authenticated attacker to remotely trigger CVE-2022-41082. According to Microsoft, CVE-2022-41040 is a high-risk (8.8/10 severity level) vulnerability that a hacker may simply exploit to get further access to the vulnerable computer without the user’s knowledge.

“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.”

The company also stated that only authenticated attackers can exploit the CVE-2022-41040 flaw. After a successful exploit, they can exploit the CVE-2022-41082 RCE vulnerability

At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities

The cybersecurity company, which was the first to report the attacks, claims that the zero-days are linked together to build Chinese Chopper web shells for data theft and persistence as well as to move laterally through the victims’ networks. They also suspect that a Chinese threat group is behind the continued attacks based on the code page of the web shells, a Microsoft character encoding for simplified Chinese.

Microsoft stated that it is working to accelerate the timing for the deployment of a remedy that resolves both issues. Meanwhile, the corporation gave mitigations and detection instructions to clients to assist them in protecting themselves from these attacks.

The mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. 

To allow organizations to check if their Exchange Servers have been compromised by exploiting these flaws, GTSC released guideline and a tool to scan IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder ): 

• Method 1: Use powershell command:
• Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200 
• Method 2: Use the tool developed by GTSC: Based on the exploit signature, we build a tool to search with much shorter time needed than using powershell. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner

The detailed procedure offered by Microsoft to reduce the risk of exploitation for the aforementioned problems is as follows:

1. Open the IIS Manager.
2. Expand the Default Web Site.
3. Select Autodiscover.
4. In the Feature View, click URL Rewrite.
5. In the Actions pane on the right-hand side, click Add Rules.
6. Select Request Blocking and click OK.
7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
9. Change the condition input from {URL} to {REQUEST_URI}

Additionally, Microsoft advises users to block the following Remote PowerShell ports

1. HTTP: 5985
2. HTTPS: 5986

But the experts caution that the mitigation by Microsoft Exchange for on-premise systems is insufficient.

Both of these zero-day vulnerabilities are already being exploited by threat actors in ongoing campaigns to compromise Microsoft Exchange servers and accomplish remote code execution.

According to researchers, Jang, the researcher, initially warned that Microsoft’s mitigations can be readily bypassed with minimal effort.

Also, a senior vulnerability analyst, Will Dormann, at ANALYGENCE, the ‘@’ in Microsoft’s URL block “looks too precise, and consequently insufficient.” He concurs with the conclusion. 

Instead of the URL block mitigations supplied by the IT giant, the researchers advised attempting “.*autodiscover.json.*Powershell.*”. 

Therefore, Microsoft announced on Tuesday that it has updated its advisory with the enhanced URL Rewrite rule and advised Exchange Server users to review it and use one of the three offered mitigation options.

-Customers that have selected Exchange Emergency Mitigation Service (EEMS) automatically receive the updated URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019.

-The URL Rewrite rule enhancements were added to the EOMTv2 script that Microsoft had developed for the URL Rewrite mitigation steps. On internet-connected devices, the EOMTv2 script will automatically update, and the new version will display as 22.10.06.0840. On any Exchange Server without EEMS turned on, the script has to be executed again.

-The third method is to manually delete the previously created rule and replace it with the updated one, as mentioned below:

1. Open IIS Manager
2. Select Default Web Site
3. In the Feature View, click URL Rewrite
4. In the Actions pane on the right-hand side, click Add Rule(s)…
5. Select Request Blocking and click OK
6. Add the string “.*autodiscover\.json.*Powershell.*” (excluding quotes).
7. Select Regular Expression under Using.
8. Select Abort Request under How to block and then click OK.
9. Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions. 
10. Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK. 

Furthermore, Microsoft advises non-admin users to disable remote PowerShell access. The procedure should take no more than five minutes, and the limitation can be applied to one or more users.

Also, Microsoft updated the ProxyNotShell vulnerabilities mitigation once again on October 6 to address the URL-encoding scenario.

An updated version released for EOMTv2 to remove an extra space in the script that didn’t impact functionality.

Impact

• Remote Code Execution
• Unauthorized Access
• Server-Side Request Forgery (SSRF) issue

Indicators Of Compromise

CVE

• CVE-2022-41040
•  CVE-2022-41082

Remediation

Refer to Microsoft Security Response Center for patch, upgrade or suggested workaround information.

Microsoft Security Response Center