Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Reference:
Advisory #2022-027
Version:
1.3
Affected software:
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2022-41082
CVE-2022-41040
By successfully exploiting the two vulnerabilities sequentially (CVE-2022-41082 and CVE-2022-41040), an authenticated remote attacker can perform remote code execution on vulnerable Microsoft Exchange servers.
At the moment of publication, Microsoft has not yet released a fix. Mitigations are available but the regex used in the Rewrite rule was bypassed by a security researcher.
UDPATE 2022-10-03
According to Recorded Future, a high number of stolen credentials is currently up for sale on the dark web. Considering that authentication with Microsoft Exchange credentials is necessary for this exploit, an attacker could use sold logins to gain access and compromise your email servers.
It is expected that a proof-of-concept code to exploit these vulnerabilities will be released soon.
In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.
Microsoft Exchange Online Customers:
Mitigations for On-premise Microsoft Exchange customers:
UPDATE 2022-10-10
There are 3 options available to mitigate the impact of these vulnerabilities:
Step-by-step actions:
UPDATE 2022-10-10: Step-by-step instructions from step 7 until step 10 have changed.
IMPACT: There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
For more information on how to disable remote PowerShell, please read: https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps&viewFallbackFrom=exchange-ps%22%20%5Cl%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user.
UDPATE 2022-10-03
Microsoft additionally recommends to:
UPDATE 2022-10-01
Microsoft released a script to apply the mitigations programmatically for the SSRF vector CVE-2022-41040, found at https://aka.ms/eomtv2.
There are multiple methods that might help detecting ProxyNotShell.
It is advised to regularly verify information from the vendor Microsoft at https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/.