Zero-Day Microsoft Exchange Server: Critical Vulnerabilities - OWASSRF and ProxyNotShell

This article provides information on recently discovered zero-day vulnerabilities in the Microsoft Exchange Server versions 2013, 2016, and 2019.

The following table provides key information about the vulnerabilities.

CVE-2022-41080 & CVE-2022-41082 (#OWASSRF)

Information about these vulnerabilities was discovered by CrowdStrike and first published on 20 December 2022, This exploit affects Microsoft Exchange Server 2013, 2016, and 2019. The attack involves an SSRF equivalent to the Autodiscover technique and the exploit used in the subsequent step of previously identified #ProxyNotShell. The exploit provides attackers with access to the PowerShell remoting service through Outlook Web Access instead of previously employed Autodiscover.

CVE-2022-41040 & CVE-2022-41082 (#ProxyNotShell)

Information about these vulnerabilities was first published on September 29, 2022, and affect Microsoft Exchange Server 2013, 2016, and 2019. An attacker would need to gain access to the vulnerable system as an authenticated user to exploit these vulnerabilities. At first, the SSRF attack is executed to gain access to the PowerShell. Later, the attacker can also execute the RCE attack as described in CVE-2022-41082.

OWASSRF (CVE-2022-41080 & CVE-2022-41082) – Updated on 21 December 2022

CrowdStrike discovered a new exploit method called OWASSRF consisting of a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via privilege escalation through Outlook Web Access (OWA).

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 allows Remote Code Execution (RCE) when the Exchange PowerShell is accessible to the attacker.

1. Go to the SECURITY > View Internal Patterns page, Attack Types section.

2. Scroll down to the http-specific-attacks-medium group and click Details next to the owa-ssrf-powershell-vulnerability pattern.

   Open

   

    

   Open

   

    

3. In the Attack Types pop-up window, copy the Pattern Regex.

4. Go to the SECURITY > Libraries page, Attack Types section.

   1. Enter a name in the New Group text field and click Add.

      Open

      

       

   2. Click Add Pattern next to the group you created.

      Open

      

       

   3. In the Attack Types pop-up window:

      1. Enter a name for the pattern.

      2. Paste the regex that you copied in step 3 in Pattern Regex.

      3. Specify values for other parameters as required and click Save.

5. Go to the SECURITY > Security Policies page and select the policy the security policy to enable the custom attack type.

6. Scroll down to URL Protection and click Show to expand Additional Options.

   Open

   

    

7. Select the attack type group that you created in step 4.

   Open

   

    

8. Click Save Changes.

Recommendation

As a best practice, it is recommended that you consider interim mitigations and recommendations from Microsoft to protect your Microsoft Exchange Server.

Vendor Advisory (#OWASSRF):  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080

Vendor Advisory (#ProxyNotShell):  https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

#OWASSRF

• https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

• https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/

• https://socradar.io/reports-of-proxynotshell-vulnerabilities-being-actively-exploited-cve-2022-41040-and-cve-2022-41082/

• https://www.securityweek.com/ransomware-uses-new-exploit-bypass-proxynotshell-mitigations

#ProxyNotShell

• https://www.csa.gov.sg/singcert/Alerts/al-2022-056

• https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html#:~:text=Temporary%20containment%20measures

• https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-new-exchange-zero-days-are-used-in-attacks/

• https://borncity.com/win/2022/09/30/exchange-server-werden-ber-0-day-exploit-angegriffen-29-sept-2022/

• https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html