Trustwave Action Response: Zero Day Vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019
Update Oct. 4: Microsoft released Security Update Guides for these two vulnerabilities.
- CVE-2022-41040 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41082 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
Trustwave security teams are aware of two zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) impacting on premises versions of Microsoft Exchange Server 2013, 2016, and 2019 and organizations with Outlook Web Access facing the Internet that, if exploited, can allow an attacker to elevate privilege and remote code execution capability. Exchange online clients do not need to take action.
We immediately investigated the vulnerabilities and potential exploits and continue to monitor the situation. Trustwave infrastructure has not been adversely affected by the vulnerabilities. We are taking a proactive response and actively hunting for the presence of the attacks.
We are diligently watching over our clients for exposure and associated attacks.
We will update this blog as needed with additional information.
Microsoft’s Discovery and Guidance
Microsoft is aware of the issue and reported that a limited number of attacks have taken place. Attacks have been observed since August 2022, although at this stage Microsoft are calling them ‘limited’ with fewer than 10 organizations globally affected.
Microsoft has not released patches for the vulnerabilities but did release guidance information about these two vulnerabilities on September 30 including some specific mitigation steps.
The issues were first discovered by the GTSC SOC team in Vietnam and reported on September 28. GTSC has tracked the exploitation of these vulnerabilities starting in early August. GTSC's blog includes IOC information that can be used for detection.
What are the Microsoft Exchange Vulnerabilities?
The vulnerabilities are CVE-2022-41040, which is a Server-Side Request Forgery (SSRF) vulnerability used for Elevation of Privilege and CVE-2022-41082, a Remote Code Execution Vulnerability.
Microsoft's blog notes that for CVE-2022-41040, an attacker must be authenticated and that privileges required for exploitation are low.
In addition, Microsoft Exchange Online clients do not need to take action. However, Exchange Server clients should review and apply the mitigation instructions provided in Microsoft’s blog.
CVE-2022-41082 also requires user authentication and that standard user authentication is sufficient for the attack to work by combining an exploit for elevating privileges. Microsoft further notes an attacker for this vulnerability could target the server accounts in arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.
According to GTSC, the exploits were used to install a webshell on the impacted Exchange servers along with other malware.
What Do We Know?
The precise details of the attack have not been released. However, the attacks appear somewhat similar to, the ProxyShell vulnerability (CVE-2021-34473) attacks on Exchange Servers observed in 2021 where a malicious HTTP request are made with “autodiscover/autodiscover.json" string in the URL. Below is an example of the previous ProxyShell request format:
GET /autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com
Similarly, in this case, the observed attack sends a malicious HTTP request triggering the chain of vulnerabilities, which leads to the dropping of web shells and running of arbitrary commands, as in the below diagram, from Microsoft.
Microsoft said authenticated access to the vulnerable Exchange Server is necessary for an attacker to exploit either vulnerability, although privileges necessary for exploitation are low. Furthermore, it must be stress, this a low barrier for adversaries with access to stolen credentials.
Some of the dropped web shells include the open-source tool Antsword, that supports a web shell, and post exploitation framework SharPyShell. In their original blog, GTSC also observed a backdoor called Dll.dll planted in the Exchange Server that emulates Microsoft Exchange EWS (Exchange Web Services), and listens to connections on port 443 at the path:
https://*:443/ews/web/webconfig/.
This backdoor has wide-ranging functionality including collecting information, executing shellcode and commands, and manipulating files.
Mitigation
Microsoft has issued detailed mitigation steps here.
The main mitigation step outlined here is to add a URL Rewrite blocking rule in IIS which looks for and blocks the following string:
".*autodiscover\.json.*\@.*Powershell.*"
Microsoft also advise disabling PowerShell access for non-admin users in your organization.
Recommendations
While attacks may be limited to date, given the nature and publicity of attacks, it is likely cybercriminals will add the attacks to their arsenals and we shall see more such attacks soon. Trustwave recommends:
- Putting in place recommended mitigations as detailed by Microsoft
- Scanning IIS logs for signs of malicious http requests
- Scanning Exchange Servers for IOCs and dropped artifacts
Helpful Resources
GTSC Blog - Warning: New Attack Campaign Utilized a New 0-Day RCE Vulnerability on Microsoft Exchange Server
Microsoft Security Blog - Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
Microsoft Exchange Team - Blog - Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server