You can now find Cyber Kendra on Google News | Telegram

Microsoft Confirms Two New Exchange Zero-days Flaws

Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild.

New Exchange Zero-days Flaws

Microsoft has confirmed the two new Exchange zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019 are being exploited in the Wild. 

According to Microsoft, the first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.   

"Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082."- Microsoft said.

Microsoft acknowledges that they are aware of the vulnerabilities being exploited in wild. But Microsoft noted that for the successful exploitation of the flaws, the attacker needs authenticated access to the vulnerable Exchange Server is necessary to exploit either of the two vulnerabilities.

Microsoft Mitigation Guide

Microsoft Exchange Online Customers do not need to take any action at the moment because the zero-days only impact on-premises Microsoft Exchange instances. but Microsoft recommends that On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports. 

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. Users can also follow the URL Rewrite Instructions for the mitigation process as guided in this post. Microsoft also released a script for the URL Rewrite mitigation.

Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. 

Additionally, Exchange Admins can also block the HTTP ports 5985 and 5986, used for Remote PowerShell, which will limit the exploitation of the vulnerabilities. 

Video Demonstration by ZDI

Zero Day Initiative published the quick POC demonstration of the vulnerability on twitter.

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.