Multiple Microsoft Exchange On-Prem Vulnerabilities - September 2022

TL;DR : Microsoft recently disclosed security vulnerabilities for two unique CVEs affecting Microsoft Exchange On-Premises (Microsoft Exchange Online customer are not impacted):

• CVE-2022-41040: Server-side Request Forgery (SSRF) vulnerability.
• CVE-2022-41082: Allows remote code execution (RCE) when PowerShell is accessible to the attacker.

The Details:

A Vietnamese Cybersecurity organization, GTSC, reported on September 29, 2022 that they had identified the exploitation of two previously undisclosed vulnerabilities on a fully patched Exchange Server. The attack was observed in early August 2022. The vulnerabilities were originally reported to Microsoft and the Zero Day Initiative (ZDI) in August, however no patch has been released as of this moment. Microsoft did acknowledge the vulnerabilities today, September 30, 2022, and assigned them CVE designations. According to Microsoft, the vulnerabilities have been observed being leveraged together in attacks against Exchange Servers, with the successful exploitation of the SSRF vulnerability allowing for the possibility of the RCE vulnerability. Both vulnerabilities require authenticated access to the target Exchange Server.

Why we are telling you about this:

• Threat intelligence sources, including Microsoft, have indicated the active use of these vulnerabilities and as of September 30, 2022, a patch is not available from Microsoft. At this time, Expel has not observed active use of these CVEs within our customer base.

Recommended next steps for your team:

• On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports:
• Microsoft blog post with step-by-step instructions
• Review your Exchange configuration to determine if Outlook Web App (OWA) is exposed to the internet. If it is exposed, determine if it is necessary for current business needs and evaluate the risk.
• Services like Shodan and Censys can help determine what services are publicly accessible.
• If you’ve had a Hybrid deployment as part of migration efforts, consider performing an additional asset inventory check to ensure on-premises Exchange servers were taken offline post-migration as appropriate. 
• Monitor for additional updates from Microsoft regarding any new mitigation measures as the situation develops.

What Expel is Doing:

• Review all vendor alerts for the past 30 days for known IOCs. [Status: Complete]
• Monitor relevant vendor detection updates, performing adjustments as appropriate. [Status: Ongoing]
• Evaluate TTPs for opportunities to augment existing detections, or threat hunting techniques. [Status: Complete]

More Info / References:

• Original article by GTSC: https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
• Microsoft’s Guidance: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/