Previously published blog posts about CVE-2022-41040 and CVE-2022-41082:
- Microsoft Exchange On-Prem Zero-Day Vulnerabilities Exploited in the Wild
- Updated Guidance for Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild
- Additional Updated Guidance for Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild
Over the weekend, Microsoft published additional updates to their mitigation guidance for two zero-day vulnerabilities in Microsoft Exchange Server: CVE-2022-41040 (SSRF vulnerability) and CVE-2022-41082 (RCE vulnerability).
Microsoft improved their EOMTv2 PowerShell script along with the instructions for manually applying the URL Rewrite mitigation rule. The improvement includes the updated string (?=.*autodiscover)(?=.*powershell) within the URL Rewrite rule. The previous string was not sufficient in preventing the vulnerabilities from being successfully exploited; threat actors could bypass the previous mitigation by putting exploit code earlier in the request, making the regex incomplete.
Exchange Server 2016 and Exchange Server 2019 customers who have the Exchange Emergency Mitigation Service (EEMS) enabled–released in September 2021 cumulative update–currently have the enhanced URL Rewrite rule enable; no action needed.
Note: Exchange Online users are not impacted.
For more information about CVE-2022-41082 and CVE-2022-41040 and prior mitigations, refer to Security Bulletin “Additional Updated Guidance for Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild” shared on October 6th, Security Bulletin “Updated Guidance for Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild” shared on October 5th, and Security Bulletin “Microsoft Exchange On-Prem Zero-Day Vulnerabilities Exploited in the Wild” shared on September 30th. We will continue to monitor Microsoft’s mitigation guidance and provide additional updates as warranted.
Recommendations
Run the Improved Exchange On-premises Mitigation Tool v2 (EOMTv2)
Download and run the updated PowerShell script (EOMTv2.ps1) from Microsoft’s Github: EOMTv2.ps1 version number 22.10.07.2029. This script includes the updated Regex string.
The script must be executed on each individual server.
Requirements:
- PowerShell 3 or later
- PowerShell script must be run as Administrator.
- IIS 7.5 and later
- Exchange 2013 Client Access Server role, Exchange 2016 Mailbox role, or Exchange 2019 Mailbox role
- Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
- If the Operating System is older than Windows Server 2016, it must have KB2999226 for IIS Rewrite Module 2.1 to work.
- [Optional] External Internet Connection from your Exchange server (required to update the script and install IIS URL rewrite module).
If your Exchange on-premises does not meet the requirements to run EOMTv2, manually follow Microsoft’s instructions on applying the URL Rewrite rule.
Instructions provided by Microsoft are below (more details here):
- Open the IIS Manager.
- Select Default Web Site.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rule(s).
- Select Request Blocking and click OK.
- Add String “(?=.*autodiscover)(?=.*powershell)” (excluding quotes).
- Improved string is bolded
- Select Regular Expression under Using.
- Select Abort Request under How to block and then click OK.
- Expand the rule and select the rule with the Pattern (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions.
- Change the condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.
Note: Microsoft has stated there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
