Overview
Two vulnerabilities were reported and affect Microsoft Exchange Server (on-premise).
- CVE-2022-41040 - Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41082 - Microsoft Exchange Server Remote Code Execution Vulnerability
Vulnerable systems
- Microsoft Exchange 2013
cpe:2.3:a:microsoft:exchange_server:2013:*:*:*:*:*:*:* - Microsoft Exchange 2016
cpe:2.3:a:microsoft:exchange_server:2016:*:*:*:*:*:*:* - Microsoft Exchange 2019
cpe:2.3:a:microsoft:exchange_server:2019:*:*:*:*:*:*:*
Scope of the problem
The vulnerability, when exploited, allows an attacker to remotely control the Exchange Server. While the vulnerability can only be exploited by authenticated users, it must be understood that any email user credentials will probably qualify as an authenticated user. Attackers that possess lists of phished credentials can benefit from it for their criminal purposes.
Fixing and mitigation
Microsoft published Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server and Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.
Microsoft provides Exchange On-premises Mitigation Tool v2 (EOMTv2) which is a PowerShell script to mitigate CVE-2022-41040. The mitigation is done via a URL rewrite configuration.
Detection and logs
Scanning for vulnerable Exchange Server can be done with this NMAP NSE script.
Microsoft recommends to use classical web shell-related detection in such environment. The following article Web Shell Threat Hunting with Azure Sentinel is a good start.
Microsoft Exchange has different locations for logging. Some parts are under the IIS logging part and some part under Exchange Server logs.
Do I need to install the mitigation to internal and non-exposed exchange server?
Yes. At later stage when the patch is available, the patch can be installed too.
Have you seen exploited server in Luxembourg?
Until now, CIRCL didn’t get incident report for those vulnerabilities. Nevertheless we would like to remind that applying the mitigation and reviewing logs are critical.
Microsoft saw some exploitations (less than 10 organisations) in August 2022 as described:
MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.
I applied the patch and I don’t have any resources for doing further investigation. What should I do?
In all the cases, we recommend to perform a full incident response process including the security review of the system.
Other preparation to consider
Since phished credentials can be used to exploit the vulnerability as an authenticated user, it is highly advised to make it more difficult to phish credentials off the users, for instance by using Multi Factor Authentication (MFA/2FA) and awareness campgaigns.
References
- CIRCL: TR-61 - Critical vulnerabilities in Microsoft Exchange
- CIRCL: TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders
- Microsoft: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
- Microsoft: Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.1 - TLP:WHITE - NSE script added - 4th October 2022
- Version 1.0 - TLP:WHITE - First version - 30th September 2022