On 29 September 2022, Microsoft published an advisory providing a workaround for two unpatched flaws in Microsoft Exchange Server 2013, 2016, and 2019 that are being exploited in the wild in “limited targeted attacks”. We recommend following the mitigation steps below to validate whether your software or devices are affected by this vulnerability, and to apply the vendor remediation if required.
Microsoft noted that it is working on “an accelerated timeline to release a fix” for two vulnerabilities affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019, as well as Exchange servers running Outlook Web App, and are exposed to the internet.
- CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that requires prior authentication. The Zero Day Initiative (ZDI) who reported the vulnerability to Microsoft, assigned it a CVSS score of 6.3 out of 10.
- CVE-2022-41082 could enable an authenticated actor to trigger remote code execution (RCE) when PowerShell is accessible. The flaw received a CVSS v3 score of 8.8.
Researchers reported on post-exploitation activity by threat actors using these vulnerabilities. The actors have been observed using Antsword to install web shells on vulnerable Exchange servers. Antsword is an open-source cross-platform website administration tool that supports web shell management. Resulting exploitation requests appear in the same format as the ProxyShell Exchange Server vulnerabilities. Threat actors are then injecting malicious DLLs into memory, loading, and executing additional payloads on the infected servers using the WMI command-line (WMIC) utility. At the time of reporting, there is no known viable public proof-of-concept (PoC).
Covalence alerts on the presence of software impacted by this threat in your environment. Our teams are applying the latest indicators of compromise to ensure our clients and partners are protected. Covalence will detect and report anomalous authentication and other behaviour for users prior to exploitation attempts, in particular given that the exploit has the requirement for an authenticated user.
We recommend that you refer to the Microsoft advisory, noted below, to apply the mitigations. Check your log files for the indicators of compromise contained in the Microsoft advisory referenced below. If present, disconnect and isolate the affected host.
Refer to Microsoft’s advisory referenced below to apply temporary mitigations to reduce the risk of exploitation.
Please apply the latest Cumulative Update (CU) and Security Update (SU) update to the affected software as soon as the updates become available.