This is a follow up to notifications we sent out regarding the potential for attackers to obtain Remote Control Execution (RCE) access to on-premise and hybrid Microsoft Exchange servers by leveraging CVE-2022-41082. This notification currently effects:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Please note this is for organizations that maintain Microsoft Exchange on premise servers or a hybrid configuration.
This is not a notification of activity we are currently seeing on networks being monitored by Critical Insight.
Back in October 2022, Microsoft recommended mitigation of CVE-2022-41082 by creating a rule to block URL Rewrites. Recently, both Rapid7 and Crowdstrike have noted and responded to attackers performing bypasses to the URL rewrite mitigations through the privilege escalation vulnerabilities in OWA (CVE-2022-41080), allowing attackers to chain this vulnerability with CVE-2022-41082 to achieve privileged access.
CVE-2022-41080 – Microsoft Exchange Server Escalation of Privilege Server Side Request Forgery (SSRF) vulnerability in Autodiscover endpoint of Microsoft Exchange Outlook Web Access (OWA)
CVSSv3: 9.8
CVE-2022-41082 – Remote Code Execution (RCE) that allows RCE when PowerShell is accessible to the attacker.
CVSSv3: 8.8
IOCs noted by these companies include PowerShell being spawned by IIS (w3wp.exe) to create outbound network connections to:
- 45.76.141[.]84
- 45.76.143[.]143
Mitigations:
Microsoft addressed this vulnerability with a patch for Exchange Servers 2013, 2016, and 2019 on November 8, 2022 – KB5019758.
Critical Insight recommends testing and deploying this patch as soon as you are able as OWA on these Exchange versions, in the unpatched state, are vulnerable to CVE-2022-41080.
Additional recommendations from Microsoft include:
- If you are unable to patch right away, disable public access to OWA
- Disable remote PowerShell for non-administrative users as possible
- Be alert to webservices spawning PowerShell or command line processes
Additional Information:
Microsoft analysis and guidance: https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
