Arctic Wolf has observed an increase in exploitation of CVE-2022-41080 and CVE-2022-41082 in recent Incident Response engagements where the vulnerabilities were chained together to achieve remote code execution (RCE). This exploit chain bypasses the ProxyNotShell URL rewrite mitigations that were shared by Microsoft in September and October.
Organizations that run Microsoft Exchange on-premises or in a hybrid model should install the November patches provided by Microsoft to reduce the potential for successful exploitation. The URL rewrite mitigations that were originally provided by Microsoft will not protect you against this new exploit chain.
Note: Exchange Online is not affected and organizations do not need to take action.
Recommendation #1: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. All vulnerabilities reported above have been used in intrusions and are being actively exploited by threat actors.
Note: Arctic Wolf recommends the following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.
|Vulnerability||Impacted Product||Update Catalog|
|Microsoft Exchange Server 2019, 2016, and 2013||KB5019758|
Recommendation #2: Disable On-Premises Web Services for Microsoft 365 Deployments in a Hybrid Configuration
If possible, update your Exchange configuration to point to cloud-hosted versions of OWA, ECP, and Autodiscover instead of on-premises instances of these services. This will not only prevent exploitation of this vulnerability but will also protect against future vulnerabilities of a similar nature involving Exchange web services hosted on-premises.
For more details, see the following article: https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/
Recommendation #3: Restrict Access to External-Facing Exchange Servers
Practice the principle of least-privilege when configuring your Microsoft Exchange Server. Leverage Access Control List (ACL) restrictions on Exchange Control Panel (ECP) and other directories within IIS. The ECP directory should not be exposed to the Internet unless absolutely necessary.
Restrict access to Exchange Servers via VPN for approved users; deny access from TOR, proxy, and third-party VPN IPs to limit exploitation. Furthermore, restrict unnecessary ports and traffic from the Exchange Server.
- Note: Necessary ports for outbound traffic from Exchange Server are 25, 53, 123, 80, and 443
Recommendation #4: Disable Remote PowerShell Access for Non-Admins
Practice the principle of least-privilege when configuring your Microsoft Exchange Server. Disable remote PowerShell access for all non-admin users within your environment. For additional guidance follow Microsoft’s Control Remote PowerShell Access to Exchange Servers documentation.