Nynox advisory - Threat alert -
Microsoft Exchange
(CVE-2022-41040 & CVE-2022-41082)
– Date: 4 October 2022 –
Is your Exchange server exposed to the internet? Keep reading. Your company may be at risk. Last week Microsoft confirmed a zero-day exploit of Microsoft Exchange. This zero-day uses a specific path to access a component in the Exchange backend and perform remote code execution.
Nynox and Orlox have been assisting companies in patching and defending against these potential threats for the past days.
What is it about?
❗️The exploit consists of two vulnerabilities: The first one (CVE-2022-41040), a Server-Side Request Forgery (SSRF), can enable an authenticated attacker to remotely trigger the second one (CVE-2022-41082), remote code execution (RCE) when PowerShell is accessible.
❗️Authenticated access to the vulnerable Exchange Server is necessary to exploit either vulnerability successfully.
❗️Attackers can exploit these vulnerabilities separately.
How does it work?
⚙️ An attacker sends a malicious HTTP request to the internet-facing Exchange On-Prem server with a link with Powershell embedded.
⚙️ The attacker can execute code remotely and open a web shell on the Exchange server
⚙️ Once access is granted, the attacker can run commands to infiltrate your environment further
⚙️ These vulnerabilities require authentication
⚠️ Keep in mind that malicious actors can acquire user credentials through attacks, such as password spray or purchasing them in black markets.
Why is this vulnerability serious?
⚠️ Attackers can execute it on public-facing Exchange servers on port 443
⚠️ Various Exchange servers are published to the internet through port 443 to allow users to access their emails (OWA).
⚠️ The attacker can execute code remotely to compromise your environment
⚠️ There are no patches out yet
How does Nynox protect its customers?
🛡️ 24×7 monitoring of the onboarded Exchange devices
🛡️ Free threat hunting for SOC customers based on the indicators for this attack
🛡️ Personalized assistance to mitigate the risk
🛡️ 24×7 Incident Response (CSIRT) in case of compromise
What can you do to mitigate the risk?
✅ Mitigations to be implemented are currently being discussed publicly and successfully break current attack chains. Check the Comments section for detailed steps.
But what if you can’t?
✅ Check if your Next-Generation Firewall or WAF has signatures to prevent this attack. Doing so will allow you to apply virtual patching
✅ Contemplate limiting the access of your Exchange server as much as possible. You could restrict public access to specific Public IPs or countries
✅ Contemplate closing port 443 for incoming communications in your Exchange server