Zero-day RCE vulnerability on Microsoft Exchange Servers (CVE-2022-41040 & CVE-2022-41082)
Information
Summary: | It was recently reported by Microsoft and other outlets that a Zero-day vulnerability on Exchange Servers 2013, 2016, and 2019 has been exploited by malicious threat actors. This is a rapidly evolving exploit, but here is the latest information and guidance available. |
Environment: |
Product: Any Version: Any Platform: Any Application: Microsoft Exchange 2013, 2016, and 2019 |
Question/Problem Description: |
This Exchange Server exploit allows malicious threat actors to gain remote access to internal systems by performing Remote Code Execution (RCE) on the compromised system using PowerShell. |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: | The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. |
Resolution: |
Microsoft has provided some mitigations via the Microsoft Security Response Center Blog post below. It involves creating a URL Rewrite block rule on the Exchange server via IIS Manager under the Autodiscover virtual directory to block the specific PowerShell URL syntax used for gaining remote access over Autodiscover. This can also be achieved on the LoadMaster. Please see the Workaround section below. |
Workaround: |
Alternatively, the URL Rewrite block rule can be created as a Content Rule on the LoadMaster and applied to the Exchange Virtual Service. Here are some steps on how to achieve this on the LoadMaster:
|
Notes: |
Microsoft Security Response Center blog post: Additional Content Rules Information: https://support.kemptechnologies.com/hc/en-us/articles/6600356067341-Content-Rules Regex101 for building and testing PCRE Content Rules: |
Comments
Hello Ty,
Thank you for the feedback.
I have made the recommended changes to this article to reflect the new URL string, designed to cover a wider range of attack possibilities.
Best regards,
Jake
Hi,
how to implement the latest changes into this rule?
MS writes: Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.
Can you please advice?
Hi Norbert,
The Condition input recommendation would only be relevant to Microsoft's mitigation on the Exchange/IIS server side. On the LoadMaster side, the Content Rule syntax would not change as a result. The latest recommended String syntax is: /.*autodiscover\.json.*Powershell.*/
Best regards,
Jake
Hi Jake,
thanks for the info.
regards
Norbert
Hello,
MS changed the pattern again to: (?=.*autodiscover)(?=.*powershell)
Do we have to change it on KEMP? Is it possible to use this pattern?
Best regards
Jan
Hi Jan,
Thank you for bringing this to our attention.
I have now updated this article to reflect Microsoft's recommended changes. The new string can be modified on the LoadMaster Content Rule to match the following:
/(?=.*autodiscover)(?=.*powershell)/
Best regards,
Jake
Ty cook
Hi,
Is it recommended we change our rule to
per the other blogs such as: Microsoft Exchange server zero-day mitigation can be bypassed (bleepingcomputer.com) ?
Thank you for the great article.