On 29 September 2022, Microsoft published an advisory providing a workaround for two unpatched flaws in Microsoft Exchange Server 2013, 2016, and 2019 that are being exploited in the wild in “limited targeted attacks”. We recommend following the mitigation steps below to validate whether your software or devices are affected by this vulnerability, and to apply the vendor remediation if required.
Microsoft noted that it is working on “an accelerated timeline to release a fix” for two vulnerabilities affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019, as well as Exchange servers running Outlook Web App, and are exposed to the internet.
- CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that requires prior authentication. The Zero Day Initiative (ZDI) who reported the vulnerability to Microsoft, assigned it a CVSS score of 6.3 out of 10.
- CVE-2022-41082 could enable an authenticated actor to trigger remote code execution (RCE) when PowerShell is accessible. The flaw received a CVSS v3 score of 8.8.
Researchers reported on post-exploitation activity by threat actors using these vulnerabilities. The actors have been observed using Antsword to install web shells on vulnerable Exchange servers. Antsword is an open-source cross-platform website administration tool that supports web shell management. Resulting exploitation requests appear in the same format as the ProxyShell Exchange Server vulnerabilities. Threat actors are then injecting malicious DLLs into memory, loading, and executing additional payloads on the infected servers using the WMI command-line (WMIC) utility. At the time of reporting, there is no known viable public proof-of-concept (PoC).
Covalence alerts on the presence of software impacted by this threat in your environment. Our teams are applying the latest indicators of compromise to ensure our clients and partners are protected. Covalence will detect and report anomalous authentication and other behaviour for users prior to exploitation attempts, in particular given that the exploit has the requirement for an authenticated user.
We recommend that you refer to the Microsoft advisory, noted below, to apply the mitigations. Check your log files for the indicators of compromise contained in the Microsoft advisory referenced below. If present, disconnect and isolate the affected host.
Refer to Microsoft’s advisory referenced below to apply temporary mitigations to reduce the risk of exploitation.
Please apply the latest Cumulative Update (CU) and Security Update (SU) update to the affected software as soon as the updates become available.
On 13 September 2022, Microsoft released updates to address 63 vulnerabilities; five were classified as ‘Critical’, two have been publicly disclosed, one of which is being actively exploited. We recommend applying the latest updates as soon as possible.
Microsoft noted that threat actors are exploiting a publicly disclosed vulnerability tracked as CVE-2022-37969. This vulnerability affects Common Log File System (CLFS), a logging subsystem that is accessible to both kernel-mode as well as user-mode applications for transaction logging and/or recovery. Prior access is required, and a threat actor would have to engineer interaction with a victim. If the victim opens a file or a link, the threat actor would be able to execute code with elevated privileges. Microsoft rated this flaw as “important” and assigned a CVSS risk score of 7.8 out of 10. This flaw appears to be identical to CVE-2022-24521, another local privilege escalation (LPE) issue that Microsoft fixed and reported to be exploited in April 2022.
As part of the 13 September update, Microsoft included a fix for another LPE vulnerability in CLFS CVE-2022-35803, noting that “exploitation is more likely”. Threat actors often exploit flaws that are similar in nature and are likely to take note of the proof-of-concept (POC) details available for the CLFS flaws mentioned above.
Another publicly disclosed flaw fixed in the September update is tracked as CVE-2022-23960. It is a Cache Speculation Restriction vulnerability that was disclosed in March 2022 as Spectre-BHB or Branch History Injection (BHI). It is a variant of processor-based speculative execution issues known as Spectre-v2, affecting Windows 11 for ARM64-based Systems. Due to speculation issues in the victim’s hardware, a threat actor could perform cache allocation, which could lead to information disclosure.
Some notable vulnerabilities that were labelled as critical include:
- CVE-2022-34718 – a Remote Code Execution (RCE) vulnerability in Windows TCP/IP. It could allow a remote unauthenticated threat actor to execute code with elevated privileges on affected systems without user interaction. The flaw, however, only affects systems that have enabled IPv6 and have Internet Protocol Security (IPsec) configured. CVSS: 9.8
- CVE-2022-34721 and CVE-2022-34722 both affect Windows Internet Key Exchange (IKE) Protocol Extensions. Both flaws carry a CVSS score of 9.8. An unauthenticated threat actor could send a malicious IP packet to a target machine that is running Windows and has IPSec enabled, which could enable an RCE. These issues only impact IKEv1. All Windows Servers are affected because they accept both V1 and V2 packets.
We recommend timely patching of the Microsoft vulnerabilities noted as critical and publicly disclosed in order to decrease the likelihood of exploitation.
Microsoft has reported authentication failures after installing the updates on servers used as domain controllers; testing should be conducted prior to patching. We recommend consulting the Known Issues and Microsoft Support Document referenced below prior to applying the updates.
In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.
On 17 August, Apple issued an emergency security update for vulnerabilities affecting multiple devices, noting that they are already being exploited by threat actors. We recommend applying the latest updates as soon as possible.
Apple released advisories on two critical vulnerabilities fixed as part of the August emergency updates. The flaws are as follows:
- CVE-2022-32893 affects WebKit, a browser engine developed by Apple and used in its Safari web browser, as well as browsers used in iOS and iPadOS, and in Apple devices using WebView. The flaw could allow for remote code execution via malicious web content presented by a threat actor.
- CVE-2022-32894 is an out-of-bounds write issue that could allow applications to execute code with kernel privileges. Using the WebKit vulnerability above, a threat actor could obtain access to an application. They could then leverage CVE-2022-32894 to obtain administrative privileges and bypass security restrictions on a vulnerable device.
Apple reported that these issues have been actively exploited but did not provide any details on the exploitation.
Apple has released macOS Monterey 12.5.1, iOS 15.6.1, iPadOS 15.6.1, and Safari 15.6.1 to address these vulnerabilities.
- If you are using any of the vulnerable Apple products, ensure you have the latest updates installed.
- Check for and install software updates on your device manually by going to Settings > General > Software Update.
On 19 July 2022, Oracle issued a Critical Patch Update fixing 349 vulnerabilities; many of these can be used for remote execution of code without authentication. We recommend applying the latest updates as soon as possible.
The Critical Patch Update (CPU) addresses vulnerabilities in multiple Oracle product families and their third-party components; 64 of these were rated critical.
The most severe of the vulnerabilities was rated with a CVSS 3.1 score of 10 out of 10, affecting those applications in the Oracle Communications family of products that use Spring Cloud Gateway. The flaw is tracked as CVE-2022-22947 and allows for code injection attacks when Gateway Actuator endpoint is enabled, externally exposed and unsecured. A remote threat actor could make a malicious request that would allow arbitrary code execution on a vulnerable host. The products that received fixes for this vulnerability were:
- Oracle Communications Cloud Native Core Binding Support Function BSF
- Oracle Communications Cloud Native Core Console CNC Console
- Oracle Communications Cloud Native Core Network Repository Function NRF
- Oracle Communications Cloud Native Core Security Edge Protection Proxy SEPP
The latest updates also address some of the third-party flaws in Spring Framework that is used by multiple Oracle products. The current list includes 35 Oracle products that received fixes for flaws tracked as CVE-2022-22965 and CVE-2022-22963, and rated with a CVSS 3.1 score of 9.8.
The most impacted of Oracle families – Financial Services Applications – received 59 new security updates; 38 of these vulnerabilities are remotely exploitable without authentication.
- Ten products in this family use Spring Cloud Function and were affected by CVE-2022-22963 noted above.
- Oracle Financial Services Crime and Compliance Management Studio uses multiple third-party components affected by Critical vulnerabilities rated with a CVSS 3.1 score of 9.8:
- CVE-2021-41303 in Apache Shiro that could allow an authentication bypass using a malicious HTTP request.
- CVE-2018-1273, a four-year old property binder vulnerability in Spring Data Commons that could allow unauthenticated remote code execution.
- CVE-2022-22978 in Spring Security framework allowing for authorization bypass.
The Oracle Solaris Third Party Bulletin contains 10 new security updates for the Oracle Solaris Operating System; eight of these vulnerabilities may be remotely exploitable without authentication. These CVEs were fixed in Solaris 11.4 Support Repository Updates (SRU) 47.
In the July Java Development Kit (JDK) 8u341 Update Release Notes, Oracle indicated that it enabled TLS 1.3 by default on both the client and the server on all Oracle Java releases which support TLS 1.3 (8, 11, 17, 18).
If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, review the information on the advisory page referenced below.
We recommend applying the latest updates and all applicable mitigations as soon as possible.
As of 27 May 2022, researchers have been publishing details on how Windows protocol handlers can be abused for malicious purposes by referencing specially crafted Uniform Resource Locators (URLs). These issues affect all client and server versions of the Windows operating system, and there is no fix available at the time of reporting. Microsoft’s advisory provides some mitigation measures to prevent the exploitation of vulnerable systems.
On 30 May 2022, Microsoft released an advisory for a Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability, tracked as CVE-2022-30190. Prior to this, several researchers published proof-of-concept code for remote execution, referring to the issue as “Follina”.
MSDT is a utility used to troubleshoot and collect diagnostic data for analysis by Microsoft Support. According to Microsoft’s documentation, MSDT “invokes a troubleshooting pack at the command line or as part of an automated script and enables additional options without user input.”
Threat actors have been leveraging the MS- MSDT scheme to remotely execute arbitrary code on systems running various versions of Windows. The flaw abuses a Microsoft Office remote template feature to retrieve a HyperText Markup Language (HTML) file, which then uses MSDT to execute PowerShell code.
This technique can potentially be used with any application supporting MS Protocols. Researchers noted that Office, Outlook, and .lnk files have already been used in exploitation. A malicious actor requires minimal victim interaction and can achieve code execution when a calling application (an email or a document) is opened. They can then install programs, view, change, delete data, or create new accounts using the privileges of the calling application.
On 1 June 2022, researchers reported another similar abuse method leveraging a URI protocol handler called SEARCH-MS, which is a Windows Saved Search file that enables applications and HTML links to search through the Windows operating system. The exploit combines a Microsoft Office OLEObject flaw with the protocol handler functionality issue to open a remote Search window simply by opening a Word document, leading to a Location Path Spoofing vulnerability.
By leveraging this method, a threat actor could force Windows Search to query file shares on remote hosts and use a custom title for the search window. When a user opens a Word document, it will automatically launch a SEARCH-MS command to open a Windows Search window. A threat actor could rename the executable to lure a victim into inadvertently installing the malware, e.g. “Security Update”, or include the SEARCH-MS URI in a phishing email. This second vulnerability is harder to exploit than the first one, as it requires more interaction from a victim user, who would have to open a document and click/run an executable.
Microsoft notes that Protected View and Application Guard for Office will alert users when a document is potentially malicious. However, when a Rich Text Format file (.rtf) is used, the code can run without opening the document, via the Preview Pane in Windows Explorer, if enabled.
Microsoft acknowledged the issue in its guidance for CVE-2022-30190 and is expected to fix the flaws in the protocol handlers and their underlying Windows features in an upcoming update. The company did not provide a date for the expected fix.
Clients with active blocking enabled in their Covalence monitoring are protected from this threat. Covalence continuously monitors the activity of Microsoft Office productivity software that may be susceptible to malicious documents or email attachments. Covalence detection for malicious PowerShell abuse via these protocol handlers was also in place prior to the May 2022 reports. Additionally, our teams have been applying the latest indicators of compromise and have added rules to detect and block additional aspects of this threat to ensure our clients and partners are robustly protected.
We recommend following Microsoft’s mitigation advice in the advisory referenced below. It requires disabling the MSDT URL protocol used to execute code on vulnerable systems, which can be done via Windows Group Policy Object (GPO).
We also recommend deleting the SEARCH-MS protocol handler from the Windows Registry, after you back up the registry key. The details on the mitigations are in the References section below.
Consider adding Attack Surface Reduction (ASR) rule: Block Office Application from Creating Child Processes. We recommend testing the rule in Audit mode before enabling it as it will allow you to evaluate how the ASR rule would impact your organization. See the references below for guidance on how to enable the rule.
Consider disabling the Preview Pane in File Explorer by clicking on View Tab and clicking on Preview Pane to hide it.