Blog Post September 30, 2022

New Unpatched Microsoft Exchange Vulnerabilities - Remote Code Execution Vulnerabilities Allowing Potential Attacker Access

New Unpatched Microsoft Zero Day Vulnerability

By: Director of Threat Research, Kevin O’Connor

Microsoft has confirmed a new pair of unpatched vulnerabilities affecting its Exchange mail server platform. Tracked as CVE-2022-41040 and CVE-2022-41082, Microsoft validated the exploits’ existence and confirmed they are actively being used in the wild by malicious actors to compromise systems. This vulnerability is believed only to affect on-premises instances of Microsoft Exchange contained in Microsoft Windows Server 2013, 2016, and 2019, and not cloud-based Microsoft O365 mail applications and services such as Exchange Online, which Microsoft attests has detections and mitigations already in place. Microsoft Exchange Online customers do not need to take any action.

What you Need to Know

Microsoft does not currently have a patch available for the vulnerabilities but recommends that on-premise Microsoft Exchange customers should review and apply URL Rewrite Instructions and block exposed Remote PowerShell Ports. A guide by Microsoft for adding the blocking rule can be found here.

Add A Blocking Rule

Open the IIS Manager.
Expand the Default Web Site.
Select Autodiscover.
In the Feature View, click URL Rewrite.
In the Actions Pane on the right-hand side, click Add Rules.
Select Request Blocking and Click OK
Add the following string and click OK:
- .*autodiscover\.json.*\@.*Powershell.*
Expand the rule and select the rule and click Edit under Conditions
Change the condition input from {URL} to {REQUEST_URI}

Blocking PowerShell Ports

Block the following ports used for Remote PowerShell

HTTP: 5985

HTTPS: 5986

The pair of CVEs are Server-Side Request Forgery (SSRF) (CVE-2022-41040) and Remote Code Execution (RCE) (CVE-2022-41082) vulnerabilities. The SSRF vulnerability can only be used by authenticated attackers suggesting that credentialed or other authorized access is needed to exploit the system. The SSRF vulnerability can then be used to enable the usage of the RCE vulnerability.

The vulnerabilities were uncovered by GTSC, a Vietnamese security company, during monitoring and incident response services in live networks. GTSC detected exploit requests in ISS logs with the same format as the previous 2021 ProxyShell RCE vulnerability:

autodiscover/autodiscover.json?@/&Email=autodiscover/autodiscover.json%3f@

It’s been observed in the wild that the CVEs have been used to drop webshells on exploited Exchange servers, including Antsword, a Chinese opensource cross-platform website administration tool supporting webshell management. The webshell’s codepage is also set to a Microsoft character encoding for simplified Chinese, again suggesting China-based actor involvement. During these exploitation campaigns, attackers leveraging the vulnerabilities also modified the file RedirSuiteServiceProxy.aspx to contain a webshell. GTSC also reported the use of SharPyShell, a small and obfuscated ASP.net webshell for C# web applications.

As part of their Tactics, Techniques, and Procedures (TTPs), attackers exploiting the vulnerabilities have also been observed leveraging the native Windows binary, certutil.exe, to connect to command-and-control infrastructure and retrieve malicious payloads. Some of the commands share similarities with those used by the Chinese Chopper web shell malware. The attackers also leverage in-memory DLL injection and native Windows WMIC systems to execute files.

To identify potential exploitation leveraging these vulnerabilities, administrators can check Microsoft IIS Logs for the following string indicating potential compromise:

powershell.*autodiscover\.json.*\@.*200

Microsoft is currently working to develop a patch for the vulnerabilities; however, Microsoft Exchange administrators should take immediate action to defend systems and search for prior signs of compromise.

Keeping a network secure from zero-day exploitation requires a layered defense-in-depth approach. Externally available services such as email servers continue to be a prime target for exploitation by threat actors. Systems such as Adlumin’s Perimeter Defense capabilities can monitor these external systems for the appearance of exploitation artifacts such as newly opened ports on internet-accessible servers used for remote exploitation interfaces such as PowerShell.

Continuous Monitoring

Adlumin recommends using a Continuous Vulnerability Management (CVM) product to collect the needed data from endpoints to determine if they are running vulnerable versions of Microsoft Windows and Office. CVM software can also be used to identify those assets which have or do not have the official Microsoft mitigation in place. Adlumin also recommends leveraging the business’s SIEM product to continually search and alert for suspicious executions which may be a result of the exploitation of the vulnerability.