Zero-day RCE vulnerability on Microsoft Exchange Servers (CVE-2022-41040 & CVE-2022-41082)
|Summary:||It was recently reported by Microsoft and other outlets that a Zero-day vulnerability on Exchange Servers 2013, 2016, and 2019 has been exploited by malicious threat actors. This is a rapidly evolving exploit, but here is the latest information and guidance available.|
Application: Microsoft Exchange 2013, 2016, and 2019
This Exchange Server exploit allows malicious threat actors to gain remote access to internal systems by performing Remote Code Execution (RCE) on the compromised system using PowerShell.
|Steps to Reproduce:|
|Cause:||The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.|
Microsoft has provided some mitigations via the Microsoft Security Response Center Blog post below. It involves creating a URL Rewrite block rule on the Exchange server via IIS Manager under the Autodiscover virtual directory to block the specific PowerShell URL syntax used for gaining remote access over Autodiscover. This can also be achieved on the LoadMaster. Please see the Workaround section below.
Alternatively, the URL Rewrite block rule can be created as a Content Rule on the LoadMaster and applied to the Exchange Virtual Service. Here are some steps on how to achieve this on the LoadMaster:
Microsoft Security Response Center blog post:
Additional Content Rules Information:
Regex101 for building and testing PCRE Content Rules: