Two new zero-day vulnerabilities in Microsoft Exchange were recently reported by Microsoft and GTSC researchers. The two vulnerabilities, identified as CVE-2022-41040 and CVE-2022-41082, are known collectively as the ProxyNotShell exploit.
CVE-2022-41040 is a server-side request forgery issue which can be exploited by an authenticated attacker to chain together with CVE-2022-41082. The second vulnerability is a remote code execution issue allowing threat actors to remotely execute Powershell commands on a vulnerable Powershell server. Initially, Microsoft said that threat actors need to be already authenticated to the targeted server in order for the attack to succeed. This condition makes a ProxyNotShell attack less dangerous than the ProxyLogin vulnerability, discovered in the spring of 2021.
How Were the ProxyNotShell Vulnerabilities Discovered?
GTSC researchers say that they first came across unusual behavior in August 2022 which revealed the two vulnerabilities. Apparently, they were used in the wild by a Chinese threat actor. The threat actor was attempting to leverage Microsoft’s Internet Information Services (IIS). It should be noted that IIS hosts the front-end web component of Outlook Web Access (OWA) and uses the same format as the ProxyShell vulnerability. Once a server was breached, the attacker deployed Antsword, a Chinese open-source web admin tool that can be also used as a web shell.
Can CVE-2022-41040, CVE-2022-41082 Be Mitigated?
Since Microsoft is aware of limited attacks and patches are yet to be released, several workarounds were proposed, including a URL rewrite rule and block mitigations. However, shortly after the mitigations were released, it turned out that they could be bypassed.
According to security researcher known as Jang, the URL pattern can be bypassed easily. The block mitigations are also insufficient, according to senior vulnerability analyst Will Dormann.
Microsoft advises affected customers to review the Mitigations section and apply one of the following updated mitigation options:
- The EEMS rule is updated and is automatically applied.
- The previously provided EOMTv2 script has been updated to include the URL Rewrite improvement.
- The URL Rewrite rule instructions have been updated. The string in step 6 and step 9 has been revised. Steps 8, 9, and 10 have updated images.
“We strongly recommend Exchange Server customers disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is available here,” Microsoft added.