Two zero-day vulnerabilities in Microsoft Exchange Server – dubbed ProxyNotShell – pose a risk of remote code execution

Reference:
Advisory #2022-027

Version:
1.3

Affected software:
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019

Type:
Remote Code Execution (RCE)

CVE/CVSS:
CVE-2022-41082
CVE-2022-41040

Sources

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps&viewFallbackFrom=exchange-ps%22%20%5Cl%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user

Risks

By successfully exploiting the two vulnerabilities sequentially (CVE-2022-41082 and CVE-2022-41040), an authenticated remote attacker can perform remote code execution on vulnerable Microsoft Exchange servers.

At the moment of publication, Microsoft has not yet released a fix. Mitigations are available but the regex used in the Rewrite rule was bypassed by a security researcher.

UDPATE 2022-10-03

According to Recorded Future, a high number of stolen credentials is currently up for sale on the dark web. Considering that authentication with Microsoft Exchange credentials is necessary for this exploit, an attacker could use sold logins to gain access and compromise your email servers.

It is expected that a proof-of-concept code to exploit these vulnerabilities will be released soon.

Description

In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. 

• CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
• CVE-2022-41082 allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

Recommended Actions

Microsoft Exchange Online Customers:

• Microsoft Exchange Online Customers do not need to take any action.

Mitigations for On-premise Microsoft Exchange customers:

• On-premise Microsoft Exchange customers should review and apply the following URL Rewrite instructions and block exposed remote PowerShell ports.
• For a detailed step-by-step instruction including screenshots, go to: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

UPDATE 2022-10-10

There are 3 options available to mitigate the impact of these vulnerabilities:

• Option 1: For Microsoft users who have the Exchange Emergency Mitigation Service (EEMS) enabled, the URL Rewrite mitigation rule is enabled and updated automatically. For more information about this service, please see https://techcommunity.microsoft.com/t5/exchange-team-blog/new-security-feature-in-september-2021-cumulative-update-for/ba-p/2783155
• Option 2: A script is available to apply mitigations (see UPDATE 2022-10-01 below) and should be re-run on any Exchange Server without EEMS enabled. The script will auto-update on Internet connected machines. The updated version will show as 22.10.07.2029.
• Option 3: Step-by-step instructions exist to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.

Step-by-step actions:

UPDATE 2022-10-10: Step-by-step instructions from step 7 until step 10 have changed.

1. Open the IIS Manager.
2. Expand the Default Web Site.
3. Select Autodiscover.
4. In the Feature View, click URL Rewrite.
5. In the Actions pane on the right-hand side, click Add Rules.
6. Select Request Blocking and click OK.
7. Add String “ (?=.*autodiscover)(?=.*powershell) ” (excluding quotes).
8. Select Regular Expression under Using.
9. Select Abort Request under How to block and then click OK.
10. Expand the rule and select the rule with the pattern (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions.
11. Change the condition input from {URL} to {UrlDecode:{REQUEST_URI}}  and then click OK.

IMPACT: There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.

• Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.

1. HTTP: 5985
2. HTTPS: 5986

For more information on how to disable remote PowerShell, please read: https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps&viewFallbackFrom=exchange-ps%22%20%5Cl%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user.

UDPATE 2022-10-03

Microsoft additionally recommends to:

• monitor your user logins for login attempts at strange times or from strange locations.
• disable remote PowerShell access for non-administrative users.
• use/implement two-factor authentication.

UPDATE 2022-10-01

Microsoft released a script to apply the mitigations programmatically for the SSRF vector CVE-2022-41040, found at https://aka.ms/eomtv2.

More Information

There are multiple methods that might help detecting ProxyNotShell.

It is advised to regularly verify information from the vendor Microsoft at https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/.