Two new 0-day vulnerabilities have been identified affecting Microsoft Exchange Server 2013, 2016, and 2019 products.
The details of the identified vulnerabilities are as follows;
- The first critical security vulnerability (SSRF), tracked as CVE-2022-41040, is due to insufficient validation of user-supplied input in the Exchange OWA interface. A remote threat actor can direct the application to initiate requests to arbitrary systems via a specially crafted HTTP request.
- Another security vulnerability tracked as CVE-2022-41082 is due to incorrect login validation in the Exchange Server. A remote user with access to PowerShell Remoting on Exchange systems affected by security vulnerability can execute arbitrary code on the system.
It is observed that threat actors exploit these vulnerabilities in targeted attacks. The attacks detailed by Microsoft show that the two vulnerabilities are used together in an exploit chain, and the SSRF vulnerability allows an authenticated threat actor to execute arbitrary code. However, successfully exploiting the vulnerabilities requires authenticated access to vulnerable Exchange Servers.
Microsoft has announced that Exchange Online users are not affected by these vulnerabilities and has released a set of workarounds they should implement to mitigate potential threats to their affected customers. In order not to be the target of targeted attacks that can be carried out using vulnerabilities, it is recommended to immediately implement the following workaround suggestions published by Microsoft and to monitor the updates to be released regularly.
- IIS Manager should open.
- The Default Web Site bar should be expanded.
- The Autodiscover tab should open.
- The URL Rewrite feature within the IIS framework should be clicked.
- In the Actions pane on the right, the Add Rule(s) option should open.
- Select the Request Blocking option and click OK.
- In the Add Request Rule window that opens, add the string “.*autodiscover\.json.*\@.*Powershell.*” to the URL Pattern section and click OK.
- The added rule should be selected, and the Edit feature in the Conditions frame on the side tab should be opened.
- Should change the condition entry from {URL} to {REQUEST_URI}.