Published on: 30 September 2022
Two zero-day vulnerabilities in Microsoft Exchange Server were observed in multiple attack campaigns. A remote attacker could send a specially crafted request to exploit the vulnerabilities.
Microsoft has updated the workaround to mitigate the vulnerabilities on Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082). As patches have yet been available, system administrators are advised to take immediate actions to apply the latest workaround recommended by Microsoft.
System administrators are recommended to accord priority to taking the following actions.
(a) Update the URL Rewrite rule with the following pattern:
.*autodiscover\.json.*Powershell.*
(b) Change the Condition input to:
{UrlDecode:{REQUEST_URI}}
Detailed steps to implement the workaround could be found at the following URL:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Microsoft has released details about the vulnerabilities (CVE-2022-41040 and CVE-2022-41082) affecting Microsoft Exchange Server. Patches for CVE-2022-41040 and CVE-2022-41082 have not been available but Microsoft has provided workaround to mitigate the risk.
In view of the elevated risk of cyber attacks, system administrators are recommended to accord priority to taking the following actions.
(a) Disable remote access to PowerShell by limiting the exposure of TCP ports 5985 and 5986 to the Internet; and
(b) Apply the URL Rewrite rule to block known attack patterns with the help of the following script provided by Microsoft:
https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/
As implementing the workaround may result in reduced functionality, system administrators should properly assess the impact before adopting the workaround. Detailed steps to implement the workaround could be found at the following URL:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Reports indicate that two zero-day vulnerabilities in Microsoft Exchange Server were being actively exploited. In view of the elevated risk of cyber attacks, system administrators are recommended to implement the mitigation measures and check for exploitation attempts as suggested in the recommendation section.
A successful attack could lead to remote code execution on an affected system.
Patches for the affected products are not yet available. A security vendor has provided a workaround to block requests with similar exploitation pattern through the URL Rewrite Rule module on IIS server. System administrators should properly assess the impact before adopting the workaround. Details steps to implement the workaround could be found below:
System administrators should also check for exploitation attempts in IIS log files using the following PowerShell command:
Get-ChildItem -Recurse -Path < Path_IIS_Logs > -Filter "*.log" |
Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200