OCTOBER 24, 2022 21:18 GMT
Attempts to exploit the chained attack utilizing CVE-2022-41040 and CVE-2022-41082 are being observed in the wild, while Microsoft has yet to issue an update.
Background
Recent increased scanning activity for Exchange Server Side Request Forgery (SSRF) vulnerabilities has been observed by managed security services provider Novacoast.
The most recent SSRF Vulnerability (CVE-2022-41040) was part of a two-part attack with Remote Code Execution vulnerability (CVE-2022-41082).
This vulnerability remains unpatched by Microsoft, though workarounds currently exist, mentioned in the original advisory: “Microsoft Warns of Two Actively-Exploited Exchange Zero-Days” in late September.
The goal of this advisory is to update administrators on the status of the workaround and alert on the recent observed activity attempting to exploit the vulnerability.
Update Detail
Current mitigation for CVE-2022-41040 and CVE-2022-41082 involves applying a URL Rewrite Rule.
The recommended URL Rewrite string has been updated multiple times by Microsoft in recent weeks, meaning existing manual mitigations may not be adequate against the most recent attacks.
Microsoft has created an automated Emergency Mitigation Service (EM Service) to apply the most recent fixes while a full patch is developed.
It is also critical to note that this is not the only recent critical SSRF Vulnerability from Microsoft. The ProxyShell vulnerability (CVE-2021-34473) was also disclosed this year. That vulnerability is patched, but it shows the criticality of this modern attack vector.
Mitigation
It is important to continue monitoring the official Microsoft documentation until a full patch is developed. In light of increased scanning volume, it is recommended you validate any manually applied mitigations against current documentation.
The Exchange Emergency Mitigation Service (EM Service) applies updated mitigation to CVE-2022-41040 and CVE-2022-41082 in an automated fashion. This may provide additional protection if current mitigation needs to be changed again.
Affected Versions
This issue impacts Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
At time of publishing, no action was required from Exchange Online customers.
Resources
- Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ - Exchange Emergency Mitigation (EM) Service Documentation
https://learn.microsoft.com/en-us/exchange/exchange-emergency-mitigation-service?view=exchserver-2019 - Official Documentation for CVE-2022-41040
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040 - Official Documentation for CVE-2022-41082
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082 - Official Documentation for CVE-2021-34473
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 - NVD Entry for CVE-2022-41040
https://nvd.nist.gov/vuln/detail/CVE-2022-41040 - NVD Entry for CVE-2022-41082
https://nvd.nist.gov/vuln/detail/CVE-2022-41082 - NVD Entry for CVE-2021-34473
https://nvd.nist.gov/vuln/detail/CVE-2021-34473