Attention: Microsoft Exchange administrators are highly recommended to revisit and follow Microsoft’s updated guidance to protect vulnerable servers until a patch is made available.

Microsoft has updated its mitigation recommendations again (since Tuesday) to correct the bypass of the prior mitigation steps. According to security researchers the latest guidance is sufficient until a patch becomes available. As a reminder, this vulnerability impacts on-premises Exchange servers and hybrid deployments. Administrators who acted on the prior mitigation guidance should reapply using Microsoft’s updated solution. Visit Bleeping Computer.

October 4, 2022

Microsoft Exchange Server Zero-Day Vulnerabilities – Important Mitigation Updates

The two Microsoft Exchange zero-days disclosed last week, CVE-2022-41040 and CVE-2022-41082, still do not have a security patch. Additionally, security researchers warn the temporary mitigation guidance shared by Microsoft is insufficient and can be bypassed. Accordingly, members should continue to closely monitor developments associated with these vulnerabilities and be prepared to update and apply additional mitigation measures.

The two mitigation actions Microsoft recommends include blocking the known attack patterns by using the URL Rewrite engine available under “IIS Manager” (detailed instructions can be viewed here) and disabling remote PowerShell access for non-admin users. However, security researchers say the mitigation advice is too specific, covering only known attacks, and therefore insufficient. Hybrid deployments, which combine on-premises with cloud deployment of Microsoft Exchange, are said to be particularly at risk. At least one security researcher said these deployments are “extremely common.” It also deserves noting that more than 1,200 organizations, which include some in the government sector, are said to have exposed their hybrid deployments on the public web.

On Friday, Microsoft published an analysis of threat actors actively exploiting the two zero-days, writing “MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks … MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.” In addition, fraudsters have started impersonating security researchers and advertising non-existent PoC exploits for CVE-2022-41082 for sale on GitHub.

Additional Resources

• Microsoft Exchange vulnerable to server-side request forgery and remote code execution (CERT Coordination Center)
• Exchange Server 0-Day Actively Exploited (SANS Institute)
• Microsoft mitigation for new Exchange Server zero-day exploits can be bypassed (CSO Online)

September 30, 2022

Important Notification Regarding Newly Disclosed Microsoft Exchange Server Zero-Day Vulnerabilities

Attention: Action required if your utility uses affected on-premises Microsoft Exchange Server 2013, 2016, and 2019. Microsoft and security researchers are reporting active exploitation of these vulnerabilities to gain access to systems. Members are encouraged to follow Microsoft’s guidance until a patch is available – Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server.

CISA has posted its notification regarding Microsoft’s Release of Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server. Additionally, CISA added the two associated CVEs to the Known Exploited Vulnerabilities Catalog:

• CVE-2022-41082 Microsoft Exchange Server Remote Code Execution
• CVE-2022-41040 Microsoft Exchange Server Server-Side Request Forgery

Note: For reference, some researchers have dubbed these vulnerabilities “ProxyNotShell” when comparing them to the “ProxyLogon” and “ProxyShell” vulnerabilities of March 2021.

Are these vulnerabilities being actively exploited?

• Yes. Microsoft and security researchers are reporting active exploitation of these vulnerabilities to gain access to systems. Microsoft states that it is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. Both vulnerabilities do require the “user” (attacker) to be authenticated.

Is there a patch available?

• No; not at this time. According to Microsoft’s Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server, they are working on an accelerated timeline to release a fix. Until then, they are providing mitigations and detections guidance to help customers protect themselves from these attacks.

What Microsoft Exchange Server versions are impacted?

• Microsoft Exchange Server 2013, 2016, and 2019. Microsoft Exchange Online is reportedly not affected. However, members who may be running in a hybrid Exchange environment with Outlook Web Access enabled would also likely be vulnerable.

WaterISAC will share information with members and partners as appropriate. Additionally, members are encouraged to report incidents and suspicious activities, first to local and other law enforcement authorities and then to WaterISAC by emailing [email protected], calling 866-H2O-ISAC, or using the online incident reporting form.

Additional Resources

• New 0-Day Vulnerabilities Found in Microsoft Exchange (Huntress)
• Microsoft Confirms Exploitation of Two Exchange Server Zero-Days (SecurityWeek)
• Zero-Day Vulnerability – Microsoft Exchange (GreyNoise)