Updated Guidance for Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild

Share :

On Wednesday, 5 October 2022, Microsoft published updated mitigation guidance for two zero-day vulnerabilities in Microsoft Exchange Server: CVE-2022-41040 (SSRF vulnerability) and CVE-2022-41082 (RCE vulnerability). Arctic Wolf covered initial assessments on this blog post. Organisations that run Microsoft Exchange on-prem or in a hybrid model should complete both Microsoft provided mitigations to reduce the potential for successful exploitation. Exchange Online customers are not affected and do not need to take action.  

Organisations who have the Exchange Emergency Mitigation Service (EEMS) enabled, the mitigation is enabled automatically for Exchange Server 2016 and Exchange Server 2019 with the latest Cumulative Update. The URL Rewrite mitigation is updated to include the URL Rewrite rule improvement. 

Note: Threat actors may still be able to bypass the updated URL rewrite; security researchers have reported sightings of threat actors bypassing the latest mitigation improvements by encoding portions of the request URI.  

  • Microsoft has not acknowledged or updated their security advisory to address the potential bypass as of 11:00am CDT on October 5, 2022. 

Security researchers have observed intrusions that chained the two vulnerabilities together to achieve remote code execution (RCE). Since the initial publication of GTSC’s blog, we have observed multiple IP addresses scanning for Microsoft Exchange Servers vulnerable to the two zero-day CVEs.  

Recommendations 

Recommendation #1: Run the Exchange On-premises Mitigation Tool v2 (EOMTv2) to Mitigate CVE-2022-41040 

Microsoft created a PowerShell script (EOMTv2.ps1) for the URL rewrite mitigation steps, which includes the mitigation improvements. The script must be executed on each individual server.  

Download and run the provided script from Microsoft’s Github: EOMTv2.ps1 version number 22.10.03.1829.  

Requirements to run EOMTv2:  

  • PowerShell 3 or later 
  • PowerShell script must be run as Administrator. 
  • IIS 7.5 and later 
  • Exchange 2013 Client Access Server role, Exchange 2016 Mailbox role, or Exchange 2019 Mailbox role 
  • Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019 
  • If Operating System is older than Windows Server 2016, must have KB2999226 for IIS Rewrite Module 2.1 to work. 
  • [Optional] External Internet Connection from your Exchange server (required to update the script and install IIS URL rewrite module). 

If your Exchange on-premises does not meet the requirements to run EOMTv2, manually follow Microsoft’s instructions on applying the URL Rewrite rule. 

Instructions provided by Microsoft are below (more details here): 

  1. Open the IIS Manager.  
  2. Select Default Web Site.  
  3. In the Feature View, click URL Rewrite.  
  4. In the Actions pane on the right-hand side, click Add Rule(s). 
  5. Select Request Blocking and click OK. 
  6. Add String “.*autodiscover\.json.*Powershell.*” (excluding quotes) and click OK.  
  7. Select Regular Expression under Using. 
  8. Select Abort Request under How to block and then click OK. 
  9. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*Powershell.*” and click Edit under Conditions.  
  10. Change the condition input from {URL} to {REQUEST_URI} 

Note: Microsoft has stated there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended. 

Recommendation #2: Disable Remote PowerShell Access for Non-Admins 

Practice the principle of least-privilege when configuring your Microsoft Exchange Server. Disable remote PowerShell access for all non-admin users within your environment. For additional guidance follow Microsoft’s Control Remote PowerShell Access to Exchange Servers documentation. 

References: 

Steven Campbell

Steven Campbell

Steven Campbell is a Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories