Microsoft Confirms Pair of Blindsiding Exchange Zero-Days, No Patch Yet

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Confirms Pair of Blindsiding Exchange Zero-Days, No Patch Yet


The ProxyNotShell security vulnerabilities can be chained for remote code execution and total takeover of corporate email platforms.



Microsoft is fast-tracking patches for two Exchange Server zero-day vulnerabilities reported overnight, but in the meantime, businesses
should be on the lookout for attacks
. The computing giant said in a Friday update that its already seeing limited targeted attacks chaining the bugs together for initial access and takeover of the email system.
The flaws specifically affect on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 that face the Internet, according to Microsoft. However, its worth noting that security researcher Kevin Beaumont
says that
Microsoft Exchange Online Customers running Exchange hybrid servers with Outlook Web Access (OWA) are also at risk, despite the official advisory stating that Online instances arent impacted. The team at Rapid7
echoed that assessment
.
The bugs are tracked as follows:
CVE-2022-41040 (CVSS 8.8), a server-side request forgery (SSRF) vulnerability giving access to any mailbox in Exchange;
CVE-2022-41082 (CVSS 6.3), which allows authenticated remote code execution (RCE) when PowerShell is accessible to the attacker.
Importantly, authenticated access to the Exchange Server is necessary for exploitation, Microsofts alert pointed out. Beaumont added, Please note exploitation needs valid non-admin credentials for any email user.
So far, theres no patch available, but Microsoft has triaged the bugs and is fast-tracking a fix.
We are working on an accelerated timeline to release a fix, according to
Microsofts Friday advisory
. Until then, were providing the mitigations and detections guidance.
The mitigations include adding a blocking rule in IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions to block the known attack patterns; and the company included URL rewrite instructions in the advisory, which it said it confirmed are successful in breaking current attack chains.
Also, the alert noted that since authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082, blocking the ports used for Remote PowerShell can limit the attacks.
The flaws were disclosed in a blog post from Vietnamese security company GTSC, which noted that it submitted bug reports to Trend Micros Zero Day Initiative last month. While typically this would have resulted in a responsible vulnerability disclosure process in which Microsoft would have
120 days to patch
before the findings were made public, GTSC decided to publish after seeing in-the-wild attacks, it said.
After careful testing, we confirmed that those systems were being attacked using this 0-day vulnerability, GTSC researchers noted in
its Thursday blog post
. To help the community temporarily stop the attack before an official patch from Microsoft is available, we publish this article aiming to those organizations who are using Microsoft Exchange email system.
It also offered detail analysis of the bug chain, which is similar under the hood to the
ProxyShell group of Exchange Server vulnerabilities
. This prompted Beaumont (@gossithedog) to dub the chain ProxyNotShell,
complete with its own logo
.
He said in his analysis on Friday that while many attributes of the bugs are exactly like ProxyShell, the ProxyShell patches dont fix the issue. He also noted that in terms of attack surface, near a quarter of a million vulnerable Exchange servers face the internet, give or take.
He characterized the situation as pretty risky in a
Twitter feed
, noting that exploitation seems to have been going on for at least a month, and that now that the flaws are public, things could go south pretty quickly. He also called into question Microsofts mitigation guidance.
My guidance would be to stop representing OWA to the internet until there is a patch, unless you want to go down the mitigation route ... but that has been known about for a year, and, eh — theres other ways to exploit Exchange for RCE without PowerShell, Beaumont tweeted. For example, if you have SSRF (CVE-2022-41040) you are god in Exchange, and can access any mailbox via EWS — see the prior activity. So, Im not sure that mitigation will hold.
Microsoft did not immediately respond to a request for comment by Dark Reading.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Confirms Pair of Blindsiding Exchange Zero-Days, No Patch Yet