Last week, Microsoft confirmed that two zero-day vulnerabilities in Microsoft Exchange recently disclosed by researchers at cybersecurity firm GTSC are being actively exploited in the wild.
The first flaw, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) issue. The second vulnerability, tracked as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Successful exploitation of the CVE-2022-41040 can allow an authenticated attacker to remotely trigger CVE-2022-41082.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.” reads the advisory published by Microsoft.
Microsoft announced that it is working to accelerate the timeline to release a fix that addresses both issues. Meantime, the company provided the mitigations and detection guidance to help customers protect themselves from these attacks.
Microsoft states that Microsoft Exchange Online Customers do not need to take any action, while it provided mitigation for on-premises Microsoft Exchange customers which are the same shared by GTSC.
“We are working on an accelerated timeline to release a fix. Until then, we’re providing the mitigations and detections guidance below to help customers protect themselves from these attacks,” Microsoft added.
Below is the step-by-step procedure provided by Microsoft to mitigate the risk of exploitation for the above issues:
Microsoft also recommends customers block the following Remote PowerShell ports:
Microsoft also recommends Exchange Server customers disable remote PowerShell access for non-admin users in the organization.
Researchers at GTSC published a video PoC to demonstrate how to bypass the mitigation for the two vulnerabilities.
The popular CERT/CC vulnerability analyst Will Dormann also confirmed that the mitigation can be easily bypassed.
The researchers suggested trying “.*autodiscover\.json.*Powershell.*” instead of URL block mitigations shared by the IT giant.
(SecurityAffairs – hacking, Microsoft Exchange)