Additional Updated Guidance for Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild

Previously published blog posts about CVE-2022-41040 and CVE-2022-41082: 

• Microsoft Exchange On-Prem Zero-Day Vulnerabilities Exploited in the Wild
• Updated Guidance for Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild

Late Wednesday, 5 October 2022, Microsoft published additional updated mitigation guidance for the two zero-day vulnerabilities in Microsoft Exchange Server that were exploited in the wild: CVE-2022-41040 (SSRF vulnerability) and CVE-2022-41082 (RCE vulnerability).  

Microsoft improved their EOMTv2 PowerShell script along with the instructions for manually applying the URL Rewrite mitigation rule. The improvement includes specifying {UrlDecode:{REQUEST_URI}} within the condition input. The previous instructions were not sufficient in preventing the vulnerabilities from being successfully exploited; threat actors could bypass the previous mitigation by encoding portions of the request URI.  

For more information about CVE-2022-41082 and CVE-2022-41040 and prior mitigations refer to Security Bulletin “Updated Guidance for Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild” shared on October 6th and Security Bulletin “Microsoft Exchange On-Prem Zero-Day Vulnerabilities Exploited in the Wild” shared on 30 September.  

Recommendations 

Run the Improved Exchange On-premises Mitigation Tool v2 (EOMTv2)  

Download and run the updated PowerShell script (EOMTv2.ps1) from Microsoft’s Github: EOMTv2.ps1 version number 22.10.06.0840. This script includes the correct condition input {UrlDecode:{REQUEST_URI}}. 

The script must be executed on each individual server.  

Requirements:  

• PowerShell 3 or later 
• PowerShell script must be run as Administrator. 
• IIS 7.5 and later 
• Exchange 2013 Client Access Server role, Exchange 2016 Mailbox role, or Exchange 2019 Mailbox role 
• Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019 
• If the Operating System is older than Windows Server 2016, it must have KB2999226 for IIS Rewrite Module 2.1 to work. 
• [Optional] External Internet Connection from your Exchange server (required to update the script and install IIS URL rewrite module). 

If your Exchange on-premises does not meet the requirements to run EOMTv2, manually follow Microsoft’s instructions on applying the URL Rewrite rule. 

Instructions provided by Microsoft are below (more details here): 

1. Open the IIS Manager. 
2. Select Default Web Site.  
3. In the Feature View, click URL Rewrite.  
4. In the Actions pane on the right-hand side, click Add Rule(s). 
5. Select Request Blocking and click OK. 
6. Add String “.*autodiscover\.json.*Powershell.*” (excluding quotes) and click OK.  
7. Select Regular Expression under Using. 
8. Select Abort Request under How to block and then click OK. 
9. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*Powershell.*” and click Edit under Conditions.  
10. Change the condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK. 

• Improved condition input is bolded; note this is the only change from prior recommendations provided by Microsoft 

Note: Microsoft has stated there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended. 

References: 

• Microsoft Statement on Zero-Days
• Exchange On-premises Mitigation Tool v2